MyCut

AI First Flight #8

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Unrestricted Reward Claims After 90-Day Deadline – Allows Players to Claim Rewards Past Claim Period

yelsnik

Unrestricted Reward Claims After 90-Day Deadline – Allows Players to Claim Rewards Past Claim Period

Description

Players are only allowed to claim their contest rewards within 90 days of the pot being created. After this period, the manager closes the pot and distributes any remaining rewards, preventing further claims.
The claimCut() function does not prevent players from claiming rewards after 90 days. This allows a player to claim their reward even after the pot should have been closed, breaking the intended 90-day claim period invariant.

// in the function below, there is no check to prevent

// players from claiming after 90 days

function claimCut() public {

address player = msg.sender;

uint256 reward = playersToRewards[player];

if (reward <= 0) {

revert Pot__RewardNotFound();

}

playersToRewards[player] = 0;

remainingRewards -= reward;

claimants.push(player);

_transferReward(player, reward);

}

Risk

Likelihood:

This issue occurs whenever a player attempts to call claimCut() after the 90-day claim period has elapsed and before the manager has closed the pot. It is independent of the number of players or the amount of rewards and will consistently happen whenever the time condition is exceeded.

Impact:

The contest manager may receive less than their intended 10% of unclaimed rewards if players claim after the 90-day period.
Rewards intended to be redistributed among timely claimants could instead go to late-claiming players, violating fairness.
The protocol’s core rule that players must claim within 90 days is broken, undermining trust in the system.
Malicious players could wait until after 90 days to claim rewards multiple times if unchecked, maximizing their gains at the expense of others.

Proof of Concept

In your test file, paste this code and then run `forge test --mt test_playerCannotClaimAfter90Days -vvv`. The test is going to fail thereby proving that the core invariant of the protocol is broken

function test_playerCannotClaimAfter90Days() public mintAndApproveTokens {

vm.startPrank(owner);

// 1. Create contest

ContestManager cm = helper_contest();

cm.createContest(

players,

rewards,

IERC20(ERC20Mock(wethToken)),

totalRewards

);

// 2. Fund contest

cm.fundContest(0);

// Get the pot

address potAddress = cm.getContests()[0];

Pot pot = Pot(potAddress);

vm.stopPrank();

// 3. Move time forward beyond 90 days

vm.warp(block.timestamp + 91 days);

// 4. Player tries to claim after 90 days

vm.startPrank(player1);

// Expect revert because claim period is over

vm.expectRevert();

pot.claimCut();

vm.stopPrank();

}

Recommended Mitigation

The bug can be mitigated by adding a check in the claimCut() function to prevent players from claiming after 90 days:

+ error Pot__ClaimPeriodOver();

+ function claimCut() public {

+ if (block.timestamp - i_deployedAt > 90 days) {

+ revert Pot__ClaimPeriodOver();

+ }

+ ...

+ }

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!