MyCut

AI First Flight #8

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

No validation for time in `Pot::claimCut`

prongsdev125

`Pot::claimCut` has no validation for the time, and it enables anyone to claim their cut after the contest is closed or the claim period is over.

Description

Nobody can't claim their cut after the claim period is over.
But Pot::claimCut has no validation for the time, so anyone can claim their cut after the claim period is over.

function claimCut() public {

// @> No validation for the time

address player = msg.sender;

uint256 reward = playersToRewards[player];

if (reward <= 0) {

revert Pot__RewardNotFound();

}

playersToRewards[player] = 0;

remainingRewards -= reward;

claimants.push(player);

_transferReward(player, reward);

}

Risk

Likelihood:

When the claim period is over, players who didn't claim in time, can claim their cuts.

Impact:

It's possible for players to claim their cuts after the claim period is over.

Proof of Concept

ContestManager create new Pot and add players and rewards.
No one claims their cut before the claim period is over.
Players who didn't claim in time, claim their cuts.

function testCanClaimAfterClose() public mintAndApproveTokens {

vm.startPrank(user);

rewards = [500, 500];

totalRewards = 1000;

contest = ContestManager(conMan).createContest(players, rewards, IERC20(ERC20Mock(weth)), totalRewards);

ContestManager(conMan).fundContest(0);

vm.stopPrank();

vm.warp(91 days);

vm.startPrank(player1);

Pot(contest).claimCut();

vm.stopPrank();

assertEq(ERC20Mock(weth).balanceOf(player1), 500);

}

Recommended Mitigation

Add validation for the time(block.timestamp < i_deplayAt + 90 days) in Pot::claimCut.

function claimCut() public {

+ require(block.timestamp < i_deployedAt + 90 days, "Pot: Claim period is over.");

address player = msg.sender;

uint256 reward = playersToRewards[player];

if (reward <= 0) {

revert Pot__RewardNotFound();

}

playersToRewards[player] = 0;

remainingRewards -= reward;

claimants.push(player);

_transferReward(player, reward);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!