MyCut

AI First Flight #8

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: low

Invalid

[M-6] Missing Players/Rewards Length Validation Causes Deployment Failure

jck

[M-6] Missing Players/Rewards Length Validation Causes Deployment Failure

Description

Normal behavior: The constructor of Pot should only accept arrays of equal length for players and rewards. Each player must have exactly one corresponding reward.
Issue: There is no validation in the constructor to enforce players.length == rewards.length. If mismatched arrays are passed, the constructor can panic due to array out-of-bounds access or arithmetic underflow, causing deployment to fail entirely.

Expected Behavior

Deployment should succeed only when players.length == rewards.length.
Each player is correctly mapped to a single reward.
Mismatched arrays should revert gracefully with a clear error message.

Actual Behavior

Deployment panics when players.length != rewards.length.
Panic occurs due to low-level Solidity array operations failing (out-of-bounds access).
The contract cannot be deployed, blocking deployment scripts or automated pipelines.

Risk Assessment

Likelihood — Low

Requires misconfiguration or human error during deployment (e.g., manual array construction or faulty script).

Impact — Medium

Deployment failure is critical: the contract cannot be used, breaking the intended functionality.
Any automation relying on successful deployment (scripts, CI/CD, other contracts) will fail.

Severity — Medium (M)

While the occurrence is unlikely, the impact is immediate and deployment-breaking.

Proof of Concept

This PoC demonstrates the bug exactly as it occurs in the wild using Foundry:

The test first shows a normal deployment with matching arrays succeeds.
It then attempts a mismatched deployment.
The constructor panics due to array index out-of-bounds, demonstrating the real-world impact: deployment failure.
This shows the bug is not just a logical mismatch — it’s deployment-blocking.

function test_MismatchedPlayersRewards_Impact() public {

// -------------------------------

// Normal deployment: matched arrays

// -------------------------------

address ;

uint256 ;

goodPlayers[0] = player1;

goodPlayers[1] = player2;

goodRewards[0] = 1 ether;

goodRewards[1] = 1 ether;

// Works as expected

Pot goodPot = new Pot(goodPlayers, goodRewards, weth, 2 ether);

console.log("Normal deployment: SUCCESS");

// -------------------------------

// Buggy deployment: mismatched arrays

// -------------------------------

address ;

uint256 ; // <-- BUG!

badPlayers[0] = player1;

badPlayers[1] = player2;

badRewards[0] = 1 ether;

console.log("\nBuggy deployment attempt:");

console.log("players.length = 2, rewards.length = 1");

// Deployment will panic

try new Pot(badPlayers, badRewards, weth, 2 ether) returns (Pot) {

console.log("UNEXPECTED: Deployment succeeded!");

revert("Should have reverted!");

} catch (bytes memory reason) {

console.log("Deployment failed as expected!");

console.logBytes(reason);

// Interpret panic

if (reason.length == 4) {

bytes4 selector = bytes4(reason);

console.logString("Error selector:");

console.logBytes4(selector);

} else if (reason.length > 4) {

(uint256 panicCode) = abi.decode(reason, (uint256));

console.log("Panic code:", panicCode);

console.log("Meaning: Array out-of-bounds or arithmetic error during constructor execution");

}

Recommended Mitigation

Add an explicit check in the constructor:

This prevents deployment with mismatched arrays.
Provides a clear, user-friendly revert message.
Eliminates panic-level errors caused by unguarded array access.

constructor(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards) {

require(players.length == rewards.length, "Players and rewards array length mismatch");

...

}

Why this works:

The constructor immediately validates the array lengths.
Any mismatch causes a revert with a descriptive error, preventing deployment failure.
Maintains mapping integrity: each player is guaranteed exactly one reward.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 1 day ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!