feat: Path System Array Index Out of Bounds Vulnerability

[KevinMB0220]

📝 Title

Path System Array Index Out of Bounds Vulnerability

📋 Description

The path system in game.cairo has multiple functions that can cause contract panics due to array index out of bounds errors. The get_path_step() and advance_enemy_position() functions don't properly validate indices before accessing predefined path arrays, which can lead to DoS attacks or unexpected game crashes.

Current problematic code:

fn get_step_from_array(steps: Span<(u32, u32)>, index: u32) -> (u32, u32) {
    assert(index < steps.len(), 'Index out of bounds'); // ⚠️ PANIC ON INVALID INDEX
    *steps.at(index.into())
}

fn get_path_step(path_id: u64, index: u32) -> (u32, u32) {
    match path_id {
        0 => { /* ... */ },
        1 => { /* ... */ },
        2 => { /* ... */ },
        _ => panic!("Invalid path_id"), // ⚠️ PANIC ON INVALID PATH_ID
    }
}

Attack vectors:

• Calling with invalid path_id values
• Providing index values beyond path length
• Manipulating enemy position updates with out-of-bounds indices

Files affected:

• contract/src/systems/game.cairo (lines 127, 145, 191)

✅ Acceptance Criteria

• Replace panic!() calls with graceful error handling that returns Option<(u32, u32)> or similar
• Add bounds checking before array access in get_step_from_array()
• Validate path_id exists before processing in get_path_step()
• Update advance_enemy_position() to handle invalid paths gracefully
• Add comprehensive test cases for all edge cases and invalid inputs
• Ensure all callers handle the new error return types properly

💬 Additional Notes

Severity: 🟠 HIGH - Can cause immediate contract panics, making the game unplayable and potentially allowing DoS attacks by submitting invalid path parameters.

Root Cause: Functions use panic!() and assert() for input validation instead of graceful error handling, making the contract vulnerable to malicious or malformed inputs.

Impact: Attackers or bugs could crash entire game sessions, lose player progress, and make towers/enemies unusable by triggering array bounds violations.

---

Keep it consistent with the project's style and standards.

[sotoJ24]

Hello team, I'm Josue Soto, a backend software engineer and open source contributor on OnlyDust fellowship program. I have skills in problem solving, database schema management, refactorization and clean code, Cairo, Rust, SQL.

How I plan to solve it

• Understand backend structure and contracts.

• Fix the path system array index out of bounds vulnerability in the contract/src/systems/game.cairo file (lines 127, 145, 191).

• Replace panic!() calls with graceful error handling that returns Option<(u32, u32)> .

• Add bounds checking before array access in get_step_from_array().

• Validate path_id exists before processing in get_path_step().

• Update advance_enemy_position() to handle invalid paths gracefully.

• Add comprehensive test cases for all edge cases and invalid inputs.

• Test and ensure all callers handle the new error return types properly.