MyCut

First Flight #23

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Possible to enter `Pot::claimCut` even after Pot has been closed

0x0noob

Details

The reason for this is that there is no system in Pot::claimCut which checks if the pot is closed, no variable in the contract that tracks when the Pot has been closed, possible for an oversight to be made by the owner on a pot and send more funds for a Pot than required in totalRewards as there is no significant checks which ensures that the rewards of each players is equal to totalRewards, and also possible for dust funds to be left in the contract when players.legth != claimants.length and Pot.closePot has been called by the owner. The implication of this is that Pot::claimCut is not efficient as players who have not claimed thier rewards can still do so after the Pot has closed.

POC

function test_POC() public mintAndApproveTokens {

vm.startPrank(user);

contest = ContestManager(conMan).createContest(players, rewards, IERC20(ERC20Mock(weth)), 50);

ContestManager(conMan).fundContest(0);

vm.stopPrank();

vm.startPrank(player2);

Pot(contest).claimCut();

vm.stopPrank();

vm.warp(91 days);

console.log(IERC20(ERC20Mock(weth)).balanceOf(user));

vm.startPrank(user);

ContestManager(conMan).closeContest(contest);

vm.stopPrank();

assert(IERC20(ERC20Mock(weth)).balanceOf(contest) > 1);

vm.startPrank(player1);

Pot(contest).claimCut();

vm.stopPrank();

}

If say there are more players and the totalRewards = 50 as can be seen from the above POC. It can also be seen that it was poosible for player1` to enter the POT even after it was closed.

Tool used

Manual Review

Recommendation

Implement a system in Pot::claimCut which ensures that it can not be called when the Pot has been closed.

Updates

Lead Judging Commences

equious Lead Judge

about 1 year ago

equious Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect distribution in closePot()

Rewards breakdown

nSLOC

106

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.