Summary
After close the Contest, the player still can call the claimCut which is not exactly the project is expecting.
Vulnerability Details
in Pot.sol
, the player still can call the claimCut even the pot is closed by the owner. This situation is Not the project owner expected.
POC
function testClosePotThenclaim() public mintAndApproveTokens {
vm.startPrank(user);
contest = ContestManager(conMan).createContest(players, rewards, IERC20(ERC20Mock(weth)), 15);
ContestManager(conMan).fundContest(0);
vm.stopPrank();
uint256 balanceBefore = ERC20Mock(weth).balanceOf(contest);
console.log("The contest Before balance is: ", balanceBefore);
vm.warp(91 days);
vm.startPrank(user);
ContestManager(conMan).closeContest(contest);
vm.stopPrank();
vm.startPrank(user);
ContestManager(conMan).reFund(ERC20Mock(weth));
vm.stopPrank();
vm.startPrank(player1);
Pot(contest).claimCut();
vm.stopPrank();
vm.startPrank(player2);
Pot(contest).claimCut();
vm.stopPrank();
}
Impact
Tools Used
manual
Recommendations
If the Pot was closed, there are not allow the user to claimCut any more.