Submission Details
Severity:
Lack of time checking in `Pot::claimCut`, players can claim after 90 days.
Description:
This function allow authorized claimants 90 days to claim before the manager takes a cut. But it do not check the time when being call.
Impact:
After 90 days, players still can claim.
Proof of Concept:
Paste this test into TestMyCut.t.sol, test will pass.
function testCanClaimCutAfterDealine() public mintAndApproveTokens {
vm.startPrank(user);
contest = ContestManager(conMan).createContest(
players,
rewards,
IERC20(ERC20Mock(weth)),
4
);
ContestManager(conMan).fundContest(0);
vm.stopPrank();
// player balance before
uint256 balanceBefore = ERC20Mock(weth).balanceOf(player1);
// 90 days passed
vm.warp(91 days);
vm.startPrank(player1);
Pot(contest).claimCut();
vm.stopPrank();
// player balance after
uint256 balanceAfter = ERC20Mock(weth).balanceOf(player1);
assert(balanceAfter > balanceBefore);
}
Tools Used:
Manual review
Foundry
Recommendations:
Add time checking in the function. Revert if 90 days passed.
function claimCut() public {
+ if (block.timestamp - i_deployedAt >= 90 days) {
+ revert();
+ }
address player = msg.sender;
uint256 reward = playersToRewards[player];
if (reward <= 0) {
revert Pot__RewardNotFound();
}
playersToRewards[player] = 0;
remainingRewards -= reward;
claimants.push(player);
_transferReward(player, reward);
}
Rewards breakdown
nSLOC
106This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.