No amount validity check in the Pot contract constructor to ensure the totalRewards is at least the sum of rewards array items. The lack of this amount check will cause the protocol to fail with arithmetic underflow or overflow error.
The protocol is a reward distribution contract with players array, rewards array and totalRewards being defined as contract constructor arguments. For the reward system to be valid, the totalRewards value has to be at least the sum of rewards array items so every player who later on makes the claim will receive their rewards. However, this check is currently not implemented in the Pot constructor, causing the protocol to face the risk of arithmetic underflow or overflow failure.
Proof of Concept:
In test/TestMyCut.t.sol, add the following test case:
The test run will fail and revert with arithmetic underflow or overflow error when the totalRewards is less than the sum of rewards array items.
The protocol will fail to execute the reward distribution properly for all its eligible players and affects their reputation and credibility.
Manual review
To implement amount check in the Pot constructor as demonstrated below:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.