#42388 [SC-Insight] Discrepancy between number of Yeetback winners in contract and documentation
Submitted on Mar 23rd 2025 at 14:12:20 UTC by @Oxrochimaru for Audit Comp | Yeet
Report ID: #42388
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/Yeetback.sol
Impacts:
Description
Brief/Intro
As per documentation the number of yeetback winners are 10 but are configurable via config. But as per Yeetback::draftWinners()
nrOfWinners are hardcoded to 10 and can't be changed.
https://docs.yeetit.xyz/yeet/yeet-game
function draftWinners(uint256 randomNumber, uint256 round) private {
uint256 potValue = potForRound[round];
uint256 nrOfYeets = yeetsInRound[round].length;
uint256 nrOfWinners = 10;
uint256 winnings = potValue / nrOfWinners;
amountToWinners[round] = winnings;
for (uint256 i; i < nrOfWinners; i++) {
uint256 randomDataNumber = uint256(keccak256(abi.encodePacked(randomNumber, i)));
uint256 winningYeetIndex = randomDataNumber % nrOfYeets; // index of the winning yeet
address winnerAddress = yeetsInRound[round][winningYeetIndex];
// Update amountToWinners and amountOfWins
amountOfWins[round][winnerAddress] += 1;
emit YeetbackWinner(round, winnerAddress, winnings, winningYeetIndex);
}
}
Vulnerability Details
The documentation states that number of winners can change but it is hardcoded to 10 in the smart contract.
Impact Details
Documentation is contradicting the actual behaviour in the code.
References
Numbers that are formated in this way 10 means that they are changeable via some configuration.
Proof of Concept
Proof of Concept
User reading the documentation will believe number of winners are configurable.
Actually no. of winners are fixed to 10 in the smart contract.
Was this helpful?