MyCut

First Flight #23

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

claim period is NOT verified in Pot::claimCut function

cryptedoji

Summary

If the manager fails to closePot immediately the claim period is over, and since the claim period of 90 days is not being verified in the Pot::claimCut function, a user can still claim her cut even after the claim period has ended.

Vulnerability Details

according to the docs, allowing authorized claimants 90 days to claim before the manager takes a cut of the remaining pool ..., an eligible claimant should only be allowed to claim within the period of 90 days, However if the manager of the Pot fails to closePot after 90 days, eligible users can continue to claim rewards.

PoC
foundry test to verify the flaw

function testCanClaimCutAfterClaimPeriod() public mintAndApproveTokens {

vm.startPrank(user);

contest = ContestManager(conMan).createContest(players, rewards, IERC20(ERC20Mock(weth)), 4);

ContestManager(conMan).fundContest(0);

vm.stopPrank();

// after the 90days period

vm.warp(95 days);

// player balance before

uint256 balanceBefore = ERC20Mock(weth).balanceOf(player1);

vm.startPrank(player1);

Pot(contest).claimCut();

vm.stopPrank();

// player balance after

uint256 balanceAfter = ERC20Mock(weth).balanceOf(player1);

assert(balanceAfter > balanceBefore);

}

Impact

users continue to claim rewards even after the 90 days claim period leading to manager no getting her cut

Tools Used

manual review
foundry test

Recommendations

in the Pot::claimCut add the following check

function claimCut() public {

+ if (block.timestamp > i_deployedAt + 90 days) {

+ revert("claim period is over");

+ }

address player = msg.sender;

uint256 reward = playersToRewards[player];

if (reward <= 0) {

revert Pot__RewardNotFound();

}

playersToRewards[player] = 0;

remainingRewards -= reward;

claimants.push(player);

_transferReward(player, reward);

}

Updates

Lead Judging Commences

equious Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Appeal created

cryptedoji Submitter

about 1 year ago

equious Lead Judge

about 1 year ago

equious Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

106

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.