MyCut

AI First Flight #8

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Missing Input Validation in Constructor Allows Invalid Pot Creation

comfortnurse021

The Pot contract constructor accepts arrays of players and rewards, an ERC20 token address, and total rewards amount to initialize the pot.
The constructor lacks essential validation checks, allowing deployment with mismatched arrays, zero addresses, duplicate players, and incorrect total rewards calculations, which can render the pot dysfunctional or exploitable.
https://github.com/CodeHawks-Contests/ai-mycut/blob/819134663950999ca5ab29a91eeceddb80274743/src/Pot.sol#L22-35

Risk

Likelihood: High

Contract owners may accidentally deploy pots with invalid parameters due to frontend bugs or human error
Malicious owners can intentionally create corrupted pots to exploit the system
This will occur whenever the ContestManager creates a new pot without proper validation at the manager level

Impact: High

Funds can become permanently locked in pots with no valid claimants
Some players may receive incorrect or zero rewards while others get excess amounts

poc

- constructor(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards) {

i_players = players;

i_rewards = rewards;

i_token = token;

i_totalRewards = totalRewards;

remainingRewards = totalRewards;

i_deployedAt = block.timestamp;

for (uint256 i = 0; i < i_players.length; i++) {

playersToRewards[i_players[i]] = i_rewards[i];

}

+ // ADD THIS SECURE CONSTRUCTOR

constructor(

address[] memory players,

uint256[] memory rewards,

IERC20 token,

uint256 totalRewards

) {

1. Validate array lengths match

require(players.length == rewards.length, "Pot: arrays length mismatch");

require(players.length > 0, "Pot: no players specified");

2. Validate token address

require(address(token) != address(0), "Pot: zero token address");

3. Track sum for validation

uint256 calculatedTotal;

4. Track duplicates

mapping(address => bool) memory seenPlayers;

for (uint256 i = 0; i < players.length; i++) {

address player = players[i];

uint256 reward = rewards[i];

5. Validate player address

require(player != address(0), "Pot: zero player address");

6. Validate reward amount

require(reward > 0, "Pot: zero reward amount");

7. Check for duplicates

require(!seenPlayers[player], "Pot: duplicate player");

seenPlayers[player] = true;

8. Validate no overflow in total

require(calculatedTotal + reward >= calculatedTotal, "Pot: overflow in total");

calculatedTotal += reward;

// 9. Initialize player reward

playersToRewards[player] = reward;

}

// 10. Validate total rewards matches sum

require(calculatedTotal == totalRewards, "Pot: total rewards mismatch");

// 11. Initialize state variables

i_players = players;

i_rewards = rewards;

i_token = token;

i_totalRewards = totalRewards;

remainingRewards = totalRewards;

i_deployedAt = block.timestamp;

// 12. Emit event for transparency

emit PotCreated(players.length, totalRewards, block.timestamp);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!