MyCut

First Flight #23

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Potential manipulation of `closePot` timeframe by block miners

soupy

Summary

There is a potential manipulation of the timeframe by block miners to delay contract owner to close the pot so players have even more time to claim their rewards and also eligible to get additional rewards from the remainder for making their claims on time.

https://github.com/Cyfrin/2024-08-MyCut/blob/946231db0fe717039429a11706717be568d03b54/src/Pot.sol#L28

https://github.com/Cyfrin/2024-08-MyCut/blob/946231db0fe717039429a11706717be568d03b54/src/Pot.sol#L50-L52

Vulnerability Details

The Pot contract currently using block.timestamp for i_deployedAt which is used in Pot:closePot function to check if the pot is still open for claim process.

constructor(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards) {

i_players = players;

i_rewards = rewards;

i_token = token;

i_totalRewards = totalRewards;

remainingRewards = totalRewards;

<@@>! i_deployedAt = block.timestamp;

for (uint256 i = 0; i < i_players.length; i++) {

playersToRewards[i_players[i]] = i_rewards[i];

}

function closePot() external onlyOwner {

<@@> if (block.timestamp - i_deployedAt < 90 days) {

revert Pot__StillOpenForClaim();

}

if (remainingRewards > 0) {

uint256 managerCut = remainingRewards / managerCutPercent;

i_token.transfer(msg.sender, managerCut);

uint256 claimantCut = (remainingRewards - managerCut) / i_players.length;

for (uint256 i = 0; i < claimants.length; i++) {

_transferReward(claimants[i], claimantCut);

}

If a miner also happens to be in the players list and for some reasons away and needs more time for rewards claim process, the miner could manipulate the block.timestamp of the i_deployedAt so he could have more time buffer apart from the 90 days condition by the owner.

Impact

Manipulation of the closePot effective timeframe to gain extra time buffer for reward claim process

Tools Used

Manual review

Recommendations

Protocol team to have proper planning and use a more precise execution timeframe for contract deployment during the creation of the pot and the close of the pot.

Updates

Lead Judging Commences

equious Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

106

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.