Submission Details
Severity:
Admin can Close Contest Multiple times
Summary:
Pot.sol - closePot() function can be called multiple times after 90 days.
Vulnerability Details
while onlyOwner can call this function, the requirements to receive funds are
1. Needs to be > 90 days
2. remainingRewards must be > 0
function closePot() external onlyOwner {
if (block.timestamp - i_deployedAt < 90 days) {
revert Pot__StillOpenForClaim();
}
if (remainingRewards > 0) {
/// Manager cut = remaining balance / 10%
uint256 managerCut = remainingRewards / managerCutPercent;
i_token.transfer(msg.sender, managerCut);
//audit-issue runs out of gass
uint256 claimantCut = (remainingRewards - managerCut) / i_players.length;
Impact
Admin can call this function multiple times creating loss of funds / accounting issues.
Tools Used
forge
Recommendations
add state variable that saves the state of the contest contract, I.E. openForClaims = true / false. add a requirement that checks if the Pot is closed.
function closePot() external onlyOwner {
if (block.timestamp - i_deployedAt < 90 days) {
revert Pot_StillOpenForClaim();
}
if(openForClaims) {
openForClaims = false;
if (remainingRewards > 0) {
/// Manager cut = remaining balance / 10%
uint256 managerCut = remainingRewards / managerCutPercent;
i_token.transfer(msg.sender, managerCut);
//audit-issue runs out of gass
uint256 claimantCut = (remainingRewards - managerCut) / i_players.length;
Updates
Rewards breakdown
nSLOC
106This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.