MyCut
First Flight #23
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

`ClaimCut` function allows unauthorized claiming after 90 Days(Improper validation)

skid0016

Summary

In the documentation, it was written that it allows authorized claimants 90 days to claim before the manager takes cut of the remaining pool. But this was not so.

Vulnerability Details

The `claimCut` function in the contract allows participants to claim their rewards even after 90 days have passed since the contest deployment. This occurs because the function does not include any time-based restrictions or checks to prevent claims after the designated period has ended. The only restriction that could prevent such claims is if the `closeContest` function is called, which would prevent further claims. However, if by any chance the `closeContest` function is not called immediately after 90 days due to certain reasons, participants can continue to claim rewards indefinitely, which is contrary to the intended functionality of the contract breaking a key invariant.

Proof Of Concept
Add this test to TestMyCut.t.sol

function testCannotClaimRewardsAfter90Days() public mintAndApproveTokens {
// Deploy and fund the Pot contract
vm.startPrank(user);
contest = ContestManager(conMan).createContest(players, rewards, IERC20(ERC20Mock(weth)), totalRewards);
ContestManager(conMan).fundContest(0);
vm.stopPrank();
// Warp time forward by 90 days
vm.warp(block.timestamp + 90 days);
// Attempt to claim rewards after 90 days
vm.startPrank(player1);
// Expect the claim to revert or fail if it's not allowed after 90 days
vm.expectRevert("Claiming period has ended");
Pot(contest).claimCut();
vm.stopPrank();
}

This was suppose to revert because the claiming period has ended but it didnt. So it means a user can claim even after the 90 days if the `closePot` isnt called

Impact

  • When the `closePot` function is called later than intended, the manager's cut is shortened and also the ClaimantCut is also reduced.

  • Extended Claim Period: Ineligable claimants can claim rewards beyond the intended 90-day window, which by initial plan wasnt allowed. This can break the trust in the protocol and rightful claimants can lose integrity for the protocol.

  • Unintended Fund Drain: If participants can claim rewards after the intended claim period, they could deplete the contract's funds over time, potentially exhausting the reward pool before the contest can be properly closed.

Tools Used

  • Manual Review

  • Foundry Testing

Recommendations
Incase the `ClosePot` function is not called immediately and we want to provide extra security and prevent ineligable claimants from claiming their cut after 90 days, it's advised to modify the `claimCut` to include a time-based check to ensure that their rewards canot be claimed after the 90 days intended period.

Here is our Modified fuction with the check:

function claimCut() public {
// Add a time check to ensure claims can only be made within 90 days
if (block.timestamp > i_deployedAt + 90 days) {
revert Pot__ClaimingPeriodEnded();
}
address player = msg.sender;
uint256 reward = playersToRewards[player];
if (reward <= 0) {
revert Pot__RewardNotFound();
}
playersToRewards[player] = 0;
remainingRewards -= reward;
claimants.push(player);
_transferReward(player, reward);
}
Updates

Lead Judging Commences

equious Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.