MyCut
First Flight #23
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Tokens Will Be Permanently Lost if No Players Claim the Reward

bytes1

Summary

If no participants claim the reward within the 90-day claiming period, the owner can close the pot after this period. However, only 10% of the reward tokens will be recoverable; the remaining 90% will not be recovered

Vulnerability Details

function testremainingrewardafterclose() public mintAndApproveTokens {
vm.startPrank(user);
contest = ContestManager(conMan).createContest(
players,
rewards,
IERC20(ERC20Mock(weth)),
4
);
ContestManager(conMan).fundContest(0);
vm.stopPrank();
vm.warp(91 days);
vm.startPrank(user);
ContestManager(conMan).closeContest(contest);
vm.stopPrank();
uint256 potbalance = ERC20Mock(weth).balanceOf(contest);
console.log("potbalance", potbalance);
assertEq(potbalance, 4);
}

In the situation where there are no participants claiming rewards, if the owner calls the closePot function after the 90-day period, the reward tokens will be permanently locked.

Impact

Tokens will be permanently locked in the pot contract.

Tools Used

vscode, foundry

Recommendations

If there are no reward participants, the tokens should be fully recovered from the contract and returned to the owner.

Updates

Lead Judging Commences

equious Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Incorrect handling of zero claimant edge case

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.