MyCut

First Flight #23
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: medium
Invalid

ContestManager::fundContest function does not protect from calling twice

Summary

ContestManager::fundContest function does not protect from calling twice

Vulnerability Details

ContestManager::fundContest function does not have a check if the contest has been funded before, the owner can fund the contest more than one time my mistake.

Since the Pot contract does not have a function that is using ERC20 token balance of the Pot contract, any excess amount of ERC20 token will be ignored, mean get lost forever.

Impact

Owner will lost fund if they fund a contest more than one time.

Tools Used

Manual review

Recommendations

Track the contest has been funded and throw exception if condition is not met.

mapping(address => bool) public hasContestFunded; // @added a mapping
function fundContest(uint256 index) public onlyOwner {
Pot pot = Pot(contests[index]);
IERC20 token = pot.getToken();
uint256 totalRewards = contestToTotalRewards[address(pot)];
require(!hasContestFunded[address(pot)], "Contest has funded"); // @added a check
if (token.balanceOf(msg.sender) < totalRewards) {
revert ContestManager__InsufficientFunds();
}
hasContestFunded[address(pot)] = true; // @added
token.transferFrom(msg.sender, address(pot), totalRewards);
}
Updates

Lead Judging Commences

equious Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.