There are no checks to ensure that a contest only been funded once or if it has been funded at all.
fundContest() only reverts if the sender does not have funds and has no checks for anything else.
There are two potential issues that arise because this.
It is possible to create a contest and never fund it. Users would be able to interact with the contest, likely under the assumption that they would be able to claim the rewards that are due to them as viewable in Pot::playersToRewards. This would cause reverting transactions and wasted gas on the users' end.
In the event that the manager of the protocol calls this function multiple times, the excess funds would be lost. In the Pot contract, only totalRewards is used to distribute the remainder of rewards when the pot is closed. Sending additional funds does not change totalRewards and there is no rescue function, ensuring loss to the manager should this be called more than once.
PoC - copy this into TestMyCut.t.sol:
Manual review
Consider making fundContest() a private function that is called at the end of createContest(). This would ensure that all pots created are sufficiently funded and removes the risk of overfunding a pot.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.