Submission Details
Impact:
Likelihood:
No Validation That `rewards.length == players.length`
[M-01] — No Validation That rewards.length == players.length
Severity: Medium
File: src/Pot.sol
Function: constructor()
Lines: 18–29
src/Pot.sol
└── constructor()
L18: i_players = players;
L19: i_rewards = rewards;
...
L26: for (uint256 i = 0; i < i_players.length; i++) {
L27: playersToRewards[i_players[i]] = i_rewards[i]; ← OOB if lengths mismatch
L28: }
Summary
The constructor zips players and rewards by index with no length check. If rewards.length > players.length, excess reward values are silently ignored and tokens funded via totalRewards become unclaimable. There is also no check that sum(rewards) == totalRewards.
Vulnerability Details
// src/Pot.sol — constructor — Lines 26–28
for (uint256 i = 0; i < i_players.length; i++) {
playersToRewards[i_players[i]] = i_rewards[i]; // OOB revert if rewards shorter
}
// No check: rewards.length == players.length
// No check: sum(rewards) == totalRewards
Impact
Misconfiguration silently locks tokens or blocks player claims.
Severity: Medium — operational risk, fund loss through misconfiguration.
Tools Used
Manual analysis
Recommendations
// src/Pot.sol — constructor — after Line 17
+ if (players.length != rewards.length) revert Pot__ArrayLengthMismatch();
+ uint256 sum;
+ for (uint256 i = 0; i < rewards.length; i++) sum += rewards[i];
+ if (sum != totalRewards) revert Pot__RewardSumMismatch();
Rewards breakdown
This contest has a flat reward structure with the following payouts:
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.