Summary

Pot::claimCut should have a control to prevent users from claiming after pot has ended , else if pot gets some balance due to some reason , these users may claim if they didn't claim already

Vulnerability Details

The documentation clearly states that users can claim before the 90 day deadline. After the deadline , the owner takes their cut , and distributes remaining funds to the people who claimed in time by calling the Pot::closePot function

But the players who didn't claim in time , can still call the Pot::claimCut function after pot has ended. If the contract has no balance then this call will revert , but if somehow contract gets some balance , then this call will go through and these users can get their rewards, which is obviously not intended.

Impact

Players who didn't claim in time , can claim after pot has closed if the contract somehow contains some balance

Tools Used

Manual Review

Recommendations

Make a boolean variable which keeps track if closePot has been called , and this variable can be used to revert the claimCut call if pot has ended.