Users can claim after 90 days
Summary
This report identifies an issue within the MyCut contest rewards distribution protocol related to the claimCut() function. The MyCut protocol allows authorized claimants to claim their rewards within 90 days, after which the contest manager takes a cut of the remaining pool. However, there is a potential issue where players can still claim rewards after the 90-day claim window using the claimCut() function.
Vulnerability Details
The protocol specifies that participants have 90 days to claim their rewards after a contest is created. After this period, the contest manager takes a cut of the remaining reward pool, and the remaining rewards are distributed equally among those who claimed within the claim period.
The claimCut() function allows users to claim rewards, but it lacks a mechanism to enforce the 90-day limit. This could allow participants to bypass the time restriction and claim rewards after the claim period has ended, which would:
Reduce Remaining Pool: Rewards that should be distributed to participants who claimed on time would be depleted.
Unfair Distribution: Late claimants could benefit unfairly from rewards they are no longer entitled to after the 90-day window.
https://github.com/Cyfrin/2024-08-MyCut/blob/main/src/Pot.sol#L37
Impact
Unauthorized Claims: Players can claim rewards after the 90-day period, which could lead to an unfair redistribution of the remaining rewards pool.
Loss of Funds: The contest manager's cut, which is meant to be taken from the unclaimed rewards pool, may be significantly reduced if late claimants deplete the remaining tokens.
Tools Used
Manual Review
Recommendations
Add a check for claiming within 90 days to the claimCut() function.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.