A significant vulnerability has been identified in the Pot smart contract where the remainingRewards
state variable is not properly cleared after reward distribution, potentially leading to inaccurate reward reporting and inconsistent contract state.
In the Pot contract:
The remainingRewards
variable is not reset to zero after distributing all rewards in the closePot
function.
Inaccurate State: The contract may report non-zero remaining rewards even after all rewards have been distributed, leading to a misrepresentation of the contract's financial state.
Potential for Double Spending: If the contract is reused or if there are functions that rely on remainingRewards
, it could lead to attempts to distribute rewards that no longer exist.
Misleading Information: Functions like getRemainingRewards()
would return incorrect values, potentially misleading users or other contracts that interact with this contract.
Inconsistent Internal State: The discrepancy between remainingRewards
and the actual token balance of the contract could lead to unexpected behaviors in future transactions or contract upgrades.
Manual code review
AI for report
Clear Remaining Rewards: Update the closePot
function to clear remainingRewards
:
Add Safety Checks: Implement additional checks to ensure remainingRewards
is consistent with the sum of unclaimed rewards:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.