MyCut

AI First Flight #8

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Users can still claim after the deadline period

iamgeorgi

On the `claimCut` function there is no critical check for validating that the user is claiming before the deadline.

Description

Normal behavior- Users can claim their cuts before the deadline and they cannot claim after the deadline of 90 days has passed
Issue - Missing check for the current time of claiming allows users to claim even if the deadline of 90 days has passed.

@> function claimCut() public {

Risk

Likelihood:

It is going to occur anytime a pot's deadline is reached and some users haven't claimed on time but manage to front-run the manager closing the pot.

Impact:

Impact is High. The deadline is being bypassed effectively and the users who claimed on time can miss their additional rewards because non-claimers can claim before the manager closing the pot.

Proof of Concept

Owner chooses 2 player accounts for rewarding them
First user claims on time
90 days pass and the pot can be closed by the owner and the owner is about to claim his cut and also distribute more rewards to the first claimer since he claimed on time
Second users now claims before the owner closing the pot and effectively bypasses the deadline restriction + no manager cut and no additional rewards for the first claimer

function test_canClaimAfterDeadline() public mintAndApproveTokens {

vm.startPrank(user);

contest = ContestManager(conMan).createContest(players, rewardsArr1, IERC20(ERC20Mock(weth)), 100);

ContestManager(conMan).fundContest(0);

vm.stopPrank();

assertEq(0, ERC20Mock(weth).balanceOf(conMan));

assertEq(100, ERC20Mock(weth).balanceOf(contest));

uint256 balanceOfOwnerBeforeCut = ERC20Mock(weth).balanceOf(user);

uint256 balanceBefore = ERC20Mock(weth).balanceOf(player1);

vm.startPrank(player1);

Pot(contest).claimCut();

vm.stopPrank();

console.log("remaining rewards ", Pot(contest).getRemainingRewards());

uint256 balanceAfter = ERC20Mock(weth).balanceOf(player1);

assert(balanceAfter > balanceBefore);

assertEq(50, ERC20Mock(weth).balanceOf(player1));

vm.warp(91 days);

vm.prank(player2);

// player2 claims even though 90 days have passed and unfairly will disallow player1 of taking another reward distribution + manager taking cut of the rewards

Pot(contest).claimCut();

assertEq(0, Pot(contest).getRemainingRewards()); // remaining rewards must be 0 since player2 came and claimed just before manager closing the pot

vm.prank(user);

ContestManager(conMan).closeContest(contest);

uint256 balanceAfterClosure = ERC20Mock(weth).balanceOf(player1);

assertEq(balanceAfterClosure, balanceAfter); // balances are the same since player1 did not receive additional rewards

}

Recommended Mitigation

In the Pot contract add a check for validation of the deadline in the claimCut function

function claimCut() public {

+ if (block.timestamp >= i_deployedAt + 90 days) {

+ revert();

.....

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!