Submission Details
Severity:
Lack of checking for funded contest in `ContestManager::fundContest`, Onwer can fund a contest multiple times.
Description:
The fundContest function do not check for funded contest and it allows owner to fund contest multiple time.
Impact:
The owner send more money than intend.
Proof of Concept:
Paste this test into TestMyCut.t.sol, test will pass. The owner can fund the Pot contract multiple times.
function test_canFundPotMultipleTime() public mintAndApproveTokens {
vm.startPrank(user);
contest = ContestManager(conMan).createContest(
players,
rewards,
IERC20(ERC20Mock(weth)),
4
);
ContestManager(conMan).fundContest(0);
assertEq(ERC20Mock(weth).balanceOf(contest), 4);
// Funding contest again
ContestManager(conMan).fundContest(0);
}
Tools Used:
Manual review
Foundry
Recommendations:
Add a mapping to keep track of funded contest.
+ mapping(address => bool) public contestIsFunded;
function fundContest(uint256 index) public onlyOwner {
Pot pot = Pot(contests[index]);
IERC20 token = pot.getToken();
uint256 totalRewards = contestToTotalRewards[address(pot)];
if (token.balanceOf(msg.sender) < totalRewards) {
revert ContestManager__InsufficientFunds();
}
+ contestIsFunded = true;
token.transferFrom(msg.sender, address(pot), totalRewards);
}
Rewards breakdown
nSLOC
106This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.