MyCut

First Flight #23

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

[H-5] Pot is not automatically closed after 90 days.

0xNascosta

**Description: The documentation states that authorised claimants (those addresses in the `players` array) can claim with 90 days, however the pot is not automatically closed in 90 days, it requires the `contestManager` to invoke `closeContest`. Unless the execution of `closeContest` is automated this will likely not occur on time, nor do we check the `block.timestamp` within `claimCut`. This will result in `players` still being able to claim after 90 days unless `closeContest` is invoked.**

**Impact:** Authorised users can still claim beyond the 90 day limit, given that the `contestManager` has not closed the contest. This reveals a mismatch in the behaviour of the protocol and the documentation.

**Proof of Concept:**

Add the following test function to `TestMyCut.t.sol:TestMyCut` test suite.

```solidity

/**

* Users can still claim after 90 days have elapsed and the pot duration

function testUsersCanStillClaimCutAfter90Days() public mintAndApproveTokens {

// Arrange

vm.startPrank(user);

ContestManager contestManager = ContestManager(conMan);

contest = contestManager.createContest(players, rewards, IERC20(ERC20Mock(weth)), totalRewards);

contestManager.fundContest(0);

vm.stopPrank();

Pot pot = Pot(contest);

vm.warp(91 days);

uint256 playerOneInitialBalance = weth.balanceOf(player1);

// Act - User can still claim

vm.prank(player1);

pot.claimCut();

uint256 playerOneFinalBalance = weth.balanceOf(player1);

// Assert

assertTrue(playerOneFinalBalance > playerOneInitialBalance);

}

```

**Recommended Mitigation:**

There are 2 suggested approaches:

1) Utilise [Chainlink Automation](https://docs.chain.link/chainlink-automation/guides/compatible-contracts). Create a time-based trigger via Chainlink automation. `checkUpkeep / performUpkeep` should be implemented and the contract should implement `AutomationCompatibleInterface` - more details can be found on the Chainlink website referenced.

2) Add a `block.timestamp` check against the `i_deployedAt` time within `claimCut`.

```diff

+ error Pot__ContestDurationExceeded();

+ uint256 constant CONTEST_DURATION = 90 days;

function claimCut() public {

+ if (block.timestamp - i_deployedAt > CONTEST_DURATION) {

+ revert Pot__ContestDurationExceeded();

+ }

address player = msg.sender;

uint256 reward = playersToRewards[player];

if (reward <= 0) {

revert Pot__RewardNotFound();

}

playersToRewards[player] = 0;

remainingRewards -= reward;

claimants.push(player);

_transferReward(player, reward);

}

```

Updates

Lead Judging Commences

equious Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

106

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.