#42388 [SC-Insight] Discrepancy between number of Yeetback winners in contract and documentation

Previous#41707 [SC-Insight] Code differs from documentation in `Reward::getClaimableAmount` function Next#41132 [SC-Insight] NFT Boost Lookup values not adhere to docs

Was this helpful?

#42388 [SC-Insight] Discrepancy between number of Yeetback winners in contract and documentation

Submitted on Mar 23rd 2025 at 14:12:20 UTC by @Oxrochimaru for

Report ID: #42388
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/Yeetback.sol
Impacts:

Description

Brief/Intro

As per documentation the number of yeetback winners are 10 but are configurable via config. But as per Yeetback::draftWinners() nrOfWinners are hardcoded to 10 and can't be changed.

https://docs.yeetit.xyz/yeet/yeet-game

    function draftWinners(uint256 randomNumber, uint256 round) private {
        uint256 potValue = potForRound[round];
        uint256 nrOfYeets = yeetsInRound[round].length;
        uint256 nrOfWinners = 10;

        uint256 winnings = potValue / nrOfWinners;
        amountToWinners[round] = winnings;

        for (uint256 i; i < nrOfWinners; i++) {
            uint256 randomDataNumber = uint256(keccak256(abi.encodePacked(randomNumber, i)));
            uint256 winningYeetIndex = randomDataNumber % nrOfYeets; // index of the winning yeet
            address winnerAddress = yeetsInRound[round][winningYeetIndex];

            // Update amountToWinners and amountOfWins
            amountOfWins[round][winnerAddress] += 1;

            emit YeetbackWinner(round, winnerAddress, winnings, winningYeetIndex);
        }
    }

Vulnerability Details

The documentation states that number of winners can change but it is hardcoded to 10 in the smart contract.

Impact Details

Documentation is contradicting the actual behaviour in the code.

References

Numbers that are formated in this way 10 means that they are changeable via some configuration.

Proof of Concept

User reading the documentation will believe number of winners are configurable.
Actually no. of winners are fixed to 10 in the smart contract.

Previous#41707 [SC-Insight] Code differs from documentation in `Reward::getClaimableAmount` function Next#41132 [SC-Insight] NFT Boost Lookup values not adhere to docs

Was this helpful?