MyCut

First Flight #23

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Missing deadline check in the `claimCut::Pot.sol` function allows players to claim after `90 days`

14xSachet

Description Eligible players can claim their reward by calling the claimCut function. Payers are not allowed to claim their reward post 90 days of pot's deployment. Timely claimers are rewarded with unclaimed tokens left in the pot.

There is no deadline check in claimCut function, allowing players to claim even after the deadline has passed. This defies the protocols principle, denying early claimer's advantage.

Impact Players can claim their cut from the pot post deadline. Early claimers are denied of their advantage.

Proof of concept

Place the following code in TestMyCut.t.sol:

function test_MissingDeadlineCheck()public{

vm.startPrank(user);

weth.mint(user,1000e18);

console.log(weth.balanceOf(user));

address pot = ContestManager(conMan).createContest(players,rewards,weth,totalRewards);

weth.approve(conMan,type(uint256).max);

ContestManager(conMan).fundContest(0);

vm.stopPrank();

vm.warp(block.timestamp + 90 days);

vm.roll(block.number + 1);

vm.prank(player1);

Pot(pot).claimCut();

assertEq((Pot(pot).getToken()).balanceOf(player1),3);

}

Recommended Mitigation Put in a deadline check in the claimCut function to make sure that players can claim only within the stipulated time interval of 90 days.

function claimCut() public {

+ if(block.timestamp - i_deployedAt >= 90 days){

+ revert();

+ }

address player = msg.sender;

uint256 reward = playersToRewards[player];

if (reward <= 0) {

revert Pot__RewardNotFound();

}

playersToRewards[player] = 0;

remainingRewards -= reward;

claimants.push(player);

//q what if feeOnTransfer tokens take a cut during reward distribution?

_transferReward(player, reward);

}

Updates

Lead Judging Commences

equious Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Appeal created

14xSachet Submitter

12 months ago

equious Lead Judge

12 months ago

equious Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

106

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.