MyCut

AI First Flight #8

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: low

Invalid

Missing Array Length Validation in Constructor

wiz_sec

Root + Impact

The constructor iterates through i_players and attempts to map them to values in i_rewards without verifying that both arrays have the same length. This leads to a Denial of Service (DoS) during deployment or a corrupted state.

Description

Describe the normal behavior in one or more sentences

Each player should have a corresponding reward amount.
Explain the specific issue or problem in one or more sentences

The constructor does not verify that players.length == rewards.length. This can lead to out-of-bounds reads or incorrect reward assignments.

for (uint256 i = 0; i < i_players.length; i++) {

playersToRewards[i_players[i]] = i_rewards[i]; // <@ Possible Panic

}

There are two failure modes:

players.length > rewards.length: When the loop reaches an index that doesn't exist in rewards, the contract will trigger a Panic (0x32) and the deployment will fail.

players.length < rewards.length: The deployment succeeds, but some reward values are ignored and left dangling in the i_rewards state array. This creates a mismatch between i_totalRewards and the actual sum of playersToRewards.

Risk

Likelihood:

Reason 1 // Describe WHEN this will occur (avoid using "if" statements)
Reason 2

Impact:

If the deployment fails, time and gas are wasted. If the deployment succeeds with mismatched lengths (case 2), the remainingRewards accounting will be permanently broken, leading to issues in claimCut() and closePot().

Proof of Concept

If an admin attempts to deploy with:

players: [Alice, Bob] (Length 2)

rewards: [100] (Length 1)

The loop will attempt to access i_rewards[1] for Bob. Since the index 1 does not exist, the EVM will revert the transaction immediately.

Recommended Mitigation

Add a require statement at the beginning of the constructor to ensure parity between the two input arrays.

constructor(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards) {

+ require(players.length == rewards.length, "Pot: Players and rewards length mismatch");

i_players = players;

i_rewards = rewards;

// ... rest of code

}

This check enforces Data Integrity at the point of entry. By ensuring that every player has exactly one corresponding reward amount, you prevent the contract from entering an inconsistent state or failing unexpectedly during the expensive deployment process.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!