MyCut
First Flight #23
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Unfunded contest scenarios

cryptolappi

Summary

The ContestManager and Pot contracts lack proper mechanisms to ensure contests are funded before they become operational. This oversight can lead to situations where participants engage in contests without guaranteed rewards, potentially resulting in financial losses and damaging the platform's integrity.

Vulnerability Details

The current implementation allows for the creation and potential operation of contests without verifying if they have been properly funded:

// In ContestManager.sol
function createContest(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards)
public
onlyOwner
returns (address)
{
Pot pot = new Pot(players, rewards, token, totalRewards);
contests.push(address(pot));
contestToTotalRewards[address(pot)] = totalRewards;
return address(pot);
}
// In Pot.sol
function claimCut() public {
address player = msg.sender;
uint256 reward = playersToRewards[player];
if (reward <= 0) {
revert Pot__RewardNotFound();
}
playersToRewards[player] = 0;
remainingRewards -= reward;
claimants.push(player);
_transferReward(player, reward);
}

Key vulnerabilities:

  1. No verification that a contest is funded before allowing operations.

  2. Lack of transparency regarding the funding status of a contest.

  3. Potential for contests to start or even conclude without proper funding.

  4. No safeguards against incomplete funding.

Impact

  1. Financial Risk: Participants may engage in contests without guaranteed rewards.

  2. Trust Issues: Lack of funding transparency could erode user confidence in the platform.

  3. Platform Integrity: Unfunded or partially funded contests could severely damage the platform's reputation.

  4. Operational Challenges: Resolving issues from unfunded contests could be complex and resource-intensive.

Tools Used

Manual code review.

AI for report.

Recommendations

The primary recommendation is to fund the contest in the constructor of the Pot contract. This ensures that a contest cannot exist in an unfunded state. Here's how this can be implemented:

  1. Modify the Pot constructor to require funding:

constructor(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards) {
require(token.transferFrom(msg.sender, address(this), totalRewards), "Funding failed");
i_players = players;
i_rewards = rewards;
i_token = token;
i_totalRewards = totalRewards;
remainingRewards = totalRewards;
i_deployedAt = block.timestamp;
for (uint256 i = 0; i < i_players.length; i++) {
playersToRewards[i_players[i]] = i_rewards[i];
}
}

  1. Update the ContestManager to handle the funding:

function createContest(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards)
public
onlyOwner
returns (address)
{
require(token.transferFrom(msg.sender, address(this), totalRewards), "Transfer to ContestManager failed");
require(token.approve(address(this), totalRewards), "Approval for Pot failed");
Pot pot = new Pot(players, rewards, token, totalRewards);
contests.push(address(pot));
contestToTotalRewards[address(pot)] = totalRewards;
return address(pot);
}
Updates

Lead Judging Commences

equious Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.