Description:
This function allow authorized claimants 90 days to claim before the manager takes a cut. But it do not check the time when being call.
Impact:
After 90 days, players still can claim.
Proof of Concept:
Paste this test into TestMyCut.t.sol, test will pass.
function testCanClaimCutAfterDealine() public mintAndApproveTokens {
vm.startPrank(user);
contest = ContestManager(conMan).createContest(
players,
rewards,
IERC20(ERC20Mock(weth)),
4
);
ContestManager(conMan).fundContest(0);
vm.stopPrank();
uint256 balanceBefore = ERC20Mock(weth).balanceOf(player1);
vm.warp(91 days);
vm.startPrank(player1);
Pot(contest).claimCut();
vm.stopPrank();
uint256 balanceAfter = ERC20Mock(weth).balanceOf(player1);
assert(balanceAfter > balanceBefore);
}
Tools Used:
Manual review
Foundry
Recommendations:
Add time checking in the function. Revert if 90 days passed.
function claimCut() public {
+ if (block.timestamp - i_deployedAt >= 90 days) {
+ revert();
+ }
address player = msg.sender;
uint256 reward = playersToRewards[player];
if (reward <= 0) {
revert Pot__RewardNotFound();
}
playersToRewards[player] = 0;
remainingRewards -= reward;
claimants.push(player);
_transferReward(player, reward);
}