MyCut

First Flight #23

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Claimants Can Still Claim After 90 Days if Manager Does Not Call ContestManager.closeContest()

frontrunner

Summary

Claimants are currently able to claim their rewards even after 90 days if the Contest Manager fails to close the contest on time. This behavior occurs because the system does not enforce the 90-day claim period within the claimCut function of the Pot contract, allowing users to continue claiming rewards beyond the intended timeframe.

Vulnerability Details

In the current implementation, the Contest Manager is responsible for closing the contest by calling ContestManager.closeContest() after the contest period has ended. However, if the Contest Manager does not call this function in a timely manner, participants can continue to claim rewards indefinitely, even after the 90-day claim window has passed.

Proof of Code

The following test function demonstrates the issue:

function testClaimantsCanClaimAfter90Days() public mintAndApproveTokens {

vm.startPrank(user);

rewards = [50, 50, 9];

totalRewards = 109;

contest = ContestManager(conMan).createContest(players, rewards, IERC20(ERC20Mock(weth)), totalRewards);

ContestManager(conMan).fundContest(0);

vm.stopPrank();

vm.startPrank(player1);

Pot(contest).claimCut();

vm.warp(91 days);

vm.startPrank(player2);

Pot(contest).claimCut();

vm.stopPrank();

vm.startPrank(user);

ContestManager(conMan).closeContest(contest);

vm.stopPrank();

}

Issue: In the code above, player2 is still able to successfully claim their reward after the 90-day period has expired, as the ContestManager has not yet closed the contest.

Impact

Claimants could continue to withdraw rewards after the intended 90-day period, leading to unauthorized claims. This could result in the depletion of the remaining rewards in the pot, which by the protocol's design, belong to the contestManager and the claimants who claimed early.

Tools Used

Foundry

Recommendations

To mitigate this vulnerability, it is recommended to enforce the 90-day claim period within the claimCut function itself. This way, the function will automatically prevent any claims after the specified period, regardless of whether the ContestManager has called closeContest() or not.

function claimCut() public {

// Enforce the 90-day claim period

+ if (block.timestamp - i_deployedAt > 90 days) {

revert Pot__NoLongerOpenForClaim();

}

address player = msg.sender;

uint256 reward = playersToRewards[player];

if (reward <= 0) {

revert Pot__RewardNotFound();

}

playersToRewards[player] = 0;

remainingRewards -= reward;

claimants.push(player);

_transferReward(player, reward);

}

Updates

Lead Judging Commences

equious Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

106

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.