MyCut

AI First Flight #8

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Improper Player Validation and Duplicate Claim Prevention

lelouchvibritannia

The claimCut function must ensure that only valid players can claim their rewards and that each player can claim only once. Without these checks, a non-player could attempt to claim tokens, or a legitimate player could claim multiple times, breaking the intended reward distribution logic.

If exploited, an unauthorized address could receive rewards, or a player could receive multiple payouts. This leads to unfair reward distribution, potential financial loss, and undermines the integrity of the contest.

Risk

Likelihood

Reason 1: claimCut is externally callable.
Reason 2: No enforced single-claim restriction.

Impact

Unauthorized reward extraction.
Multiple payouts to the same player.

function test_PoC_ClaimCutPlayerValidation() public {

address player = address(0x1);

Pot pot = new Pot([player], [1 ether], token, 1 ether);

// First valid claim

vm.prank(player);

pot.claimCut();

// Attempt repeated claim

vm.prank(player);

vm.expectRevert(); // should revert due to hasClaimed mapping

pot.claimCut();

// Attempt claim by non-player

address attacker = address(0x2);

vm.prank(attacker);

vm.expectRevert(); // should revert due to isPlayer mapping

pot.claimCut();

}

Recommended Mitigation

Ensure that claimCut validates that the caller is a registered player and has not already claimed their reward. By maintaining these checks, each player can claim exactly once, unauthorized addresses are prevented from claiming, and reward distribution remains fair and predictable.

function claimCut() external {

+ require(isPlayer[msg.sender], "Not a player");

+ require(!hasClaimed[msg.sender], "Already claimed");

+ hasClaimed[msg.sender] = true;

token.transfer(msg.sender, cuts[msg.sender]);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!