MyCut

First Flight #23

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

`Pot::claimCut` allows players to claim their cut after the end period has passed breaking the intended protocol functionality

NHristov

Summary

The Pot::claimCut function allows players to claim their rewards even after the end time (90 days) of the pot has passed, which does not follow the idea to penalize players who doesn't claim their rewards in time.

Vulnerability Details

The Pot::claimCut function in the Pot contract allows players to claim their rewards. However, there is no check to ensure that the function cannot be called after the end time of the pot contract, which is 90 days from the deployment time. As a result, players can continue to claim their rewards even after the pot is supposed to be closed.

function claimCut() public {

address player = msg.sender;

uint256 reward = playersToRewards[player];

if (reward <= 0) {

revert Pot__RewardNotFound();

}

playersToRewards[player] = 0;

remainingRewards -= reward;

claimants.push(player);

_transferReward(player, reward);

}

Proof Of Concept

After the pot has been deployed and 90 days have passed, players can still call the claimCut function to claim their rewards.

Place the following test into TestMyCut.t.sol

function testCanClaimCutAfterEndTime() public mintAndApproveTokens {

vm.startPrank(user);

contest = ContestManager(conMan).createContest(players, rewards, IERC20(ERC20Mock(weth)), 4);

ContestManager(conMan).fundContest(0);

vm.stopPrank();

// Warp time to 91 days later

vm.warp(91 days);

uint256 balanceBefore = ERC20Mock(weth).balanceOf(player1);

assert(balanceBefore == 0);

// Player1 claims reward after end time

vm.startPrank(player1);

Pot(contest).claimCut();

vm.stopPrank();

// Check if player1 received the reward

uint256 balanceAfter = ERC20Mock(weth).balanceOf(player1);

assert(balanceAfter > 0);

}

Impact

If the Pot::claimCut function is called after the end time of the pot, it will result in players being able to claim their rewards after the end time of the contract. This can lead to disruption of the idea to penalize players who claims late.

Tools Used

Solidity compiler
Manual code review
Foundry

Recommendations

To mitigate this vulnerability, implement a check within the Pot::claimCut function to ensure that it cannot be called after the end time of the pot. Here is an updated version of the Pot contract with the recommended changes:

function claimCut() public {

if (block.timestamp - i_deployedAt > 90 days) {

// add new error: `error Pot__ClaimPeriodEnded();`

revert Pot__ClaimPeriodEnded();

}

address player = msg.sender;

uint256 reward = playersToRewards[player];

if (reward <= 0) {

revert Pot__RewardNotFound();

}

playersToRewards[player] = 0;

remainingRewards -= reward;

claimants.push(player);

_transferReward(player, reward);

}

Updates

Lead Judging Commences

equious Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

106

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.