MyCut
AI First Flight #8
Beginner FriendlyFoundry
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Duplicate Player Addresses Cause Reward Overwrite and Incorrect Claims

cryptostellar5

Root + Impact

Description

The Pot contract assumes that each entry in the players array represents a unique participant. However, this assumption is never validated.

If the same address appears multiple times in the players array, the reward accounting becomes incorrect due to the use of a mapping keyed by address:

mapping(address => uint256) private playersToRewards;

Constructor:

for (uint256 i = 0; i < i_players.length; i++) {
playersToRewards[i_players[i]] = i_rewards[i];
}

Claim:

playersToRewards[player] = 0;

Because mappings overwrite values for the same key, duplicate player addresses result in:

  • Earlier rewards being silently overwritten

  • Reward amounts not being accumulated

  • Incorrect reward claims

  • Loss of funds or unfair distribution

Risk

Likelihood:

The contract treats players as a list of identities but stores rewards in a mapping that enforces uniqueness by address. It does not check for duplicate addresses and does not aggregate rewards for repeated addresses. This creates a mismatch between array semantics and mapping semantics.

Impact:

  • Rewards assigned to duplicate addresses are overwritten, not accumulated. This results in irreversible loss of funds.

  • When the duplicated address calls claimCut():

playersToRewards[player] = 0;

This clears all rewards for that address, even if it was supposed to receive multiple entries.

Proof of Concept

In the POC there are duplicate player entries at index 0 and 1, player1 should receive 400, but only receives 300

address[] playersDup = [player1, player2, player1];
uint[] rewardsDup = [100, 200, 300];
function testDuplicatePlayerAddressBreaksRewards() public mintAndApproveTokens {
vm.startPrank(user);
contest = ContestManager(conMan).createContest(
playersDup,
rewardsDup,
IERC20(weth),
600
);
ContestManager(conMan).fundContest(0);
vm.stopPrank();
// player1 should receive 400, but only receives 300
assertEq(Pot(contest).checkCut(player1), 300);
}

Recommended Mitigation

Enforce uniqueness in order to ensure that players can be entered in the array only once

mapping(address => bool) seen;
for (uint256 i = 0; i < players.length; i++) {
require(!seen[players[i]], "Duplicate player");
seen[players[i]] = true;
playersToRewards[players[i]] = rewards[i];
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-03] [M1] `Pot::constructor` Overwrites Rewards for Duplicate Players, Leading to Incorrect Distribution

## Description The `for` loop inside the `Pot::constructor` override the `playersToRewards[i_players[i]]` with new reward `i_rewards[i]`.So if a player's address appears multiple times, the reward is overwritten rather than accumulated. This results in the player receiving only the reward from the last occurrence of their address in the array, ignoring prior rewards. ## Vulnerability Details **Proof of Concept:** 1. Suppose i_players contains \[0x123, 0x456, 0x123] and i_rewards contains \[100, 200, 300]. 2. The playersToRewards mapping will be updated as follows during construction: - For address 0x123 at index 0, reward is set to 300. - For address 0x456 at index 1, reward is set to 200. - For address 0x123 at index 2, reward is updated to 100. 3. As a result, the final reward for address 0x123 in playersToRewards will be 100, not 400 (300+100).This leads to incorrect and lower reward distributions. **Proof of Code (PoC):** place the following in the `TestMyCut.t.sol::TestMyCut` ```Solidity address player3 = makeAddr("player3"); address player4 = makeAddr("player4"); address player5 = makeAddr("player5"); address[] sixPlayersWithDuplicateOneAddress = [player1, player2, player3, player4, player1, player5]; uint256[] rewardForSixPlayers = [2, 3, 4, 5, 6, 7]; uint256 totalRewardForSixPlayers = 27; // 2+3+4+5+6+7 function test_ConstructorFailsInCorrectlyAssigningReward() public mintAndApproveTokens { for (uint256 i = 0; i < sixPlayersWithDuplicateOneAddress.length; i++) { console.log("Player: %s reward: %d", sixPlayersWithDuplicateOneAddress[i], rewardForSixPlayers[i]); } /** * player1 has two occurance in sixPlayersWithDuplicateOneAddress ( at index 0 and 4) * So it's expected reward should be 2+6 = 8 */ vm.startPrank(user); contest = ContestManager(conMan).createContest(sixPlayersWithDuplicateOneAddress, rewardForSixPlayers, IERC20(ERC20Mock(weth)), totalRewardForSixPlayers); ContestManager(conMan).fundContest(0); vm.stopPrank(); uint256 expectedRewardForPlayer1 = rewardForSixPlayers[0] + rewardForSixPlayers[4]; uint256 assignedRewardForPlaye1 = Pot(contest).checkCut(player1); console.log("Expected Reward For Player1: %d", expectedRewardForPlayer1); console.log("Assigned Reward For Player1: %d", assignedRewardForPlaye1); assert(assignedRewardForPlaye1 < expectedRewardForPlayer1); } ``` ## Impact The overall integrity of the reward distribution process is compromised. Players with multiple entries in the i_players\[] array will only receive the reward from their last occurrence in the array, leading to incorrect and lower reward distributions. ## Recommendations **Recommended Mitigation:** Aggregate the rewards for each player inside the constructor to ensure duplicate addresses accumulate rewards instead of overwriting them.This can be achieved by using the += operator in the loop that assigns rewards to players. ```diff for (uint256 i = 0; i < i_players.length; i++) { - playersToRewards[i_players[i]] = i_rewards[i]; + playersToRewards[i_players[i]] += i_rewards[i]; } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!