MyCut

AI First Flight #8

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: medium

Invalid

Missing Input Validation in createContest()

muzammilmohammed678

Root + Impact

Description

The `createContest()` function does not validate that the `players` and `rewards` arrays have matching lengths, that the sum of rewards equals `totalRewards`, or that the arrays are non-empty. This can lead to creation of invalid Pot contracts with mismatched data, causing incorrect reward distribution or DoS conditions.

Without validation, a Pot can be created where players and rewards arrays are misaligned, or where the total rewards don't match the sum of individual rewards, leading to accounting errors.

```solidity

// Root cause in the codebase

16| function createContest(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards)

17| public

18| onlyOwner

19| returns (address)

20| {

21| // Create a new Pot contract

22| Pot pot = new Pot(players, rewards, token, totalRewards);

```

Risk

Likelihood:

* This occurs when the owner creates a contest with invalid input parameters

* The issue manifests when arrays are mismatched or reward sums don't align

Impact:

* Invalid Pot contracts can be created, leading to incorrect reward distribution

* Players may not receive their intended rewards

* Accounting errors can occur if sum of rewards doesn't match totalRewards

* DoS conditions if arrays are empty or have mismatched lengths

* Funds can be locked or incorrectly distributed

Proof of Concept

```solidity

// Scenario 1: Mismatched array lengths

address[] memory players = [player1, player2];

uint256[] memory rewards = [100, 200, 300]; // 3 rewards for 2 players

// Pot constructor will only map first 2 rewards, third is ignored

// Accounting becomes incorrect

// Scenario 2: Sum doesn't match totalRewards

address[] memory players = [player1, player2];

uint256[] memory rewards = [100, 200]; // Sum = 300

uint256 totalRewards = 500; // Mismatch!

// Pot is created with incorrect totalRewards, leading to accounting errors

// Scenario 3: Empty arrays

address[] memory players = [];

uint256[] memory rewards = [];

// Pot created with no players, closePot() will divide by zero

```

Recommended Mitigation

```diff

function createContest(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards)

public

onlyOwner

returns (address)

{

+ require(players.length > 0, "Players array cannot be empty");

+ require(players.length == rewards.length, "Players and rewards arrays must have same length");

+ uint256 sumRewards = 0;

+ for (uint256 i = 0; i < rewards.length; i++) {

+ sumRewards += rewards[i];

+ }

+ require(sumRewards == totalRewards, "Sum of rewards must equal totalRewards");

// Create a new Pot contract

Pot pot = new Pot(players, rewards, token, totalRewards);

contests.push(address(pot));

contestToTotalRewards[address(pot)] = totalRewards;

return address(pot);

}

```

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 16 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!