MyCut
First Flight #23
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Admin can Close Contest Multiple times

kryptonomousB

Summary:
Pot.sol - closePot() function can be called multiple times after 90 days.

Vulnerability Details

while onlyOwner can call this function, the requirements to receive funds are
1. Needs to be > 90 days
2. remainingRewards must be > 0

function closePot() external onlyOwner {
if (block.timestamp - i_deployedAt < 90 days) {
revert Pot__StillOpenForClaim();
}
if (remainingRewards > 0) {
/// Manager cut = remaining balance / 10%
uint256 managerCut = remainingRewards / managerCutPercent;
i_token.transfer(msg.sender, managerCut);
//audit-issue runs out of gass
uint256 claimantCut = (remainingRewards - managerCut) / i_players.length;

Impact

Admin can call this function multiple times creating loss of funds / accounting issues.

Tools Used
forge

Recommendations
add state variable that saves the state of the contest contract, I.E. openForClaims = true / false. add a requirement that checks if the Pot is closed.

function closePot() external onlyOwner {
if (block.timestamp - i_deployedAt < 90 days) {
revert Pot_StillOpenForClaim();
}
if(openForClaims) {
openForClaims = false;
if (remainingRewards > 0) {
/// Manager cut = remaining balance / 10%
uint256 managerCut = remainingRewards / managerCutPercent;
i_token.transfer(msg.sender, managerCut);
//audit-issue runs out of gass
uint256 claimantCut = (remainingRewards - managerCut) / i_players.length;
Updates

Lead Judging Commences

equious Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Appeal created

kryptonomousB Submitter
about 1 year ago
equious Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.