MyCut

Summary

The claimCut function in the Pot contract lacks a time-based restriction, allowing players to continue claiming rewards even after the 90-day claim period has elapsed, if the owner does not close the pot in time. This can lead to unintended claims and potentially drain funds that should be reallocated according to the protocol's rules.

Vulnerability Detail

In the Pot contract, the claimCut function allows players to claim their allocated rewards. However, the function does not include any time constraint to restrict claims after the 90-day period. According to the protocol’s design, players are expected to claim their rewards within a 90-day window, after which unclaimed rewards are meant to be redistributed. If the owner fails to close the pot after the 90-day period, players can continue claiming rewards indefinitely, violating the intended behavior of the protocol.

Impact

• Exceeding the claim period: Players can still claim rewards beyond the intended 90-day period if the owner does not close the pot. This could result in a violation of the protocol’s intended distribution rules.

• Unintended fund allocation: Funds that should have been reallocated according to the protocol (e.g., the manager's cut and redistribution to claimants) could continue to be claimed, affecting the remaining reward pool and overall distribution accuracy.

Tool used

Manual Code Review

Recommendation

Add a time-based condition in the claimCut function to ensure that players can only claim rewards within the designated 90-day window. This could be achieved by checking that the current block timestamp is within 90 days of the contract's deployment time (i_deployedAt). After this period, the claimCut function should be disabled until the pot is closed.