MyCut
AI First Flight #8
Beginner FriendlyFoundry
EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: medium
Invalid

Duplicate contest funding can lock excess tokens

parmarkrish

Root + Impact

Description

The fundContest() function allows the owner to fund the same contest multiple times.

Root Cause

Inside fundContest():

token.transferFrom(msg.sender, address(pot), totalRewards);

The contract does not track whether a contest has already been funded.

Risk

Likelihood

  • The issue can occur accidentally through repeated owner calls.

  • No protection exists against duplicate funding.

Impact

  • Excess ERC20 tokens may be transferred into the Pot contract.

  • Extra tokens can become permanently locked because no withdrawal mechanism exists.

fundContest()

Risk

Likelihood:

  • Reason 1 // Describe WHEN this will occur (avoid using "if" statements)

  • Reason 2

Impact:

  • Impact 1

  • Impact 2

Proof of Concept

function testDuplicateFunding() public {
// First funding
contestManager.fundContest(0);
// Second funding of same contest
contestManager.fundContest(0);
// Pot now contains excess tokens
}

Recommended Mitigation

+ mapping(address => bool) public funded;
function fundContest(uint256 index) public onlyOwner {
Pot pot = Pot(contests[index]);
+ require(!funded[address(pot)], "Contest already funded");
+ funded[address(pot)] = true;
token.transferFrom(msg.sender, address(pot), totalRewards);
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!