SNARKeling Treasure Hunt
First Flight #59
Beginner FriendlyGameFiFoundry
100 EXP
View all submissions
Previous Next
Submission Details
Impact: low
Likelihood: high

Logical Denial of Service for Self-Recipients

Author Revealed upon completion

Root + Impact

Description

Normally, a user performing an action on-chain expects to be able to receive the resulting proceeds in their own wallet.

The contract explicitly reverts if the recipient address is equal to the msg.sender. This creates an unnecessary hurdle for users and provides no additional security, as a user can simply generate a proof for a secondary burner wallet.

// Root cause in the codebase
@> if (recipient == address(0) || recipient == address(this) || recipient == owner || recipient == msg.sender) revert InvalidRecipient();

Risk

Likelihood: High

  • Standard user behavior is to use one wallet; this check will trigger for almost all initial attempts by users.

Impact: Low

  • The contract prevents the msg.sender from being the recipient of the reward. This forces users to manage multiple addresses and complicates the ZK-proof generation process, as the recipient address is typically a public input bound to the proof.

Proof of Concept

Recommended Mitigation

Allow the msg.sender to be the recipient of the funds.

- if (recipient == address(0) || recipient == address(this) || recipient == owner || recipient == msg.sender) revert InvalidRecipient();
+ if (recipient == address(0) || recipient == address(this) || recipient == owner) revert InvalidRecipient();

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!