MyCut

First Flight #23
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: medium
Invalid

`ContestManager::fundContest` takes index of the contest as input , but there is no way to determine the index of a contest as `ContestManager::createContest` returns address of the contest , making it difficult to fund a contest

Summary

ContestManager::fundContest takes index of the contest as input , but there is no way to determine the index of a contest as ContestManager::createContest returns address of the contest , making it difficult to fund a contest

Vulnerability Details

ContestManager::fundContest is to be called after creating a contest . The contest is created by ContestManager::createContest , but this returns the address instead of the index of the contest. Also , there is no other method to get the index of a contest if we know the address of a contest. So , the owner may mistakenly fund a contract they don't want to . Basically using index as param causes difficulties in funding contests.

Impact

Owner finds it difficult to fund the intended contest

Tools Used

Manual Review

Recommendations

There are 2 mitigations to this:

  • Use address of contest as param as input in fundContest instead of the index.

- function fundContest(uint256 index) public onlyOwner {
+ function fundContest(address _contest) public onlyOwner {
- Pot pot = Pot(contests[index]);
+ Pot pot = Pot(_contest)
IERC20 token = pot.getToken();
- uint256 totalRewards = contestToTotalRewards[address(pot)];
+ uint256 totalRewards = contestToTotalRewards[_contest];
if (token.balanceOf(msg.sender) < totalRewards) {
revert ContestManager__InsufficientFunds();
}
- token.transferFrom(msg.sender, address(pot), totalRewards);
+ token.transferFrom(msg.sender, _contest, totalRewards);
}
  • Make a function which takes in the address of a contest , loops through the contests array to find the index. But all this is just extra useless stuff , and this isn't recommended. Also if the array becomes really large then this'll be a DoS attack .

Updates

Lead Judging Commences

equious Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.