MyCut

AI First Flight #8

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Array Length Mismatch Allows Reward Misallocation

paktiko

Root + Impact

Description

Describe the normal behavior in one or more sentences
Explain the specific issue or problem in one or more sentences

function createContest(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards)

public

onlyOwner

returns (address)

{

// No validation that players.length == rewards.length

Pot pot = new Pot(players, rewards, token, totalRewards);

// ...

}

// In Pot constructor:

for (uint256 i = 0; i < i_players.length; i++) {

playersToRewards[i_players[i]] = i_rewards[i]; // May access out of bounds

}

Risk

Impact:

If rewards.length < players.length: Transaction reverts with out-of-bounds access.
If rewards.length > players.length: Extra rewards are ignored, potentially causing totalRewards mismatch.
Wrong players could receive wrong reward amounts due to index misalignment.

Proof of Concept

// Scenario 1: More players than rewards

address[] memory players = [alice, bob, charlie];

uint256[] memory rewards = [100, 200]; // Missing charlie's reward

// Constructor will revert when accessing rewards[2]

// Scenario 2: More rewards than players

address[] memory players = [alice, bob];

uint256[] memory rewards = [100, 200, 300]; // Extra 300 ignored

// Only alice=100, bob=200 set, 300 is lost

Recommended Mitigation

function createContest(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards)

public

onlyOwner

returns (address)

{

require(players.length == rewards.length, "Array length mismatch");

require(players.length > 0, "Empty players array");

// Optionally validate sum of rewards equals totalRewards

uint256 sum = 0;

for (uint256 i = 0; i < rewards.length; i++) {

sum += rewards[i];

}

require(sum == totalRewards, "Rewards sum mismatch");

Pot pot = new Pot(players, rewards, token, totalRewards);

// ...

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 1 day ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!