Submission Details
Severity:
ContestManager::fundContest function does not protect from calling twice
Summary
ContestManager::fundContest function does not protect from calling twice
Vulnerability Details
ContestManager::fundContest function does not have a check if the contest has been funded before, the owner can fund the contest more than one time my mistake.
Since the Pot contract does not have a function that is using ERC20 token balance of the Pot contract, any excess amount of ERC20 token will be ignored, mean get lost forever.
Impact
Owner will lost fund if they fund a contest more than one time.
Tools Used
Manual review
Recommendations
Track the contest has been funded and throw exception if condition is not met.
mapping(address => bool) public hasContestFunded; // @added a mapping
function fundContest(uint256 index) public onlyOwner {
Pot pot = Pot(contests[index]);
IERC20 token = pot.getToken();
uint256 totalRewards = contestToTotalRewards[address(pot)];
require(!hasContestFunded[address(pot)], "Contest has funded"); // @added a check
if (token.balanceOf(msg.sender) < totalRewards) {
revert ContestManager__InsufficientFunds();
}
hasContestFunded[address(pot)] = true; // @added
token.transferFrom(msg.sender, address(pot), totalRewards);
}
Rewards breakdown
nSLOC
106This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.