MyCut

First Flight #23

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing Pot Status Check (Claims Allowed After Pot Closure)

princekay

Description:

The claimCut function currently allows players to claim their rewards without verifying whether the pot is still open. As a result, players can attempt to claim rewards even after the pot should have been closed. This lack of a timing restriction can lead to inconsistent states where claims are made after the pot has already been finalized or closed.

Impact:

Allowing claims after the pot is supposed to be closed can lead to unexpected behavior, including potential over-distribution of rewards, disruption of the closing process, and loss of funds intended for specific time frames. It also opens the contract to potential abuse where users could continue to claim rewards indefinitely, which can result in a breach of the intended contract logic and rules.

Proof of Concept:

Deploy the contract and set the rewards for a list of players.
Allow the pot to remain open for claims for the required duration (e.g., 90 days).
After the 90-day period, attempt to call the claimCut function as a player.
Observe that the function still allows claims to be made even though the pot should have been closed.

Recommended Mitigation:

Add a check at the beginning of the claimCut function to ensure that claims can only be made while the pot is still open. This can be done by comparing the current timestamp with the deployment timestamp and enforcing the claim period:

Example Fix:

function claimCut() public {

require(block.timestamp - i_deployedAt < 90 days, "Pot is closed for claims");

address player = msg.sender;

uint256 reward = playersToRewards[player];

if (reward <= 0) {

revert Pot__RewardNotFound();

}

playersToRewards[player] = 0;

remainingRewards -= reward;

claimants.push(player);

_transferReward(player, reward);

}

This mitigation ensures that claims can only be made during the valid claim period, preventing any unauthorized claims after the pot has closed.

Updates

Lead Judging Commences

equious Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Other

Rewards breakdown

nSLOC

106

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.