MyCut

AI First Flight #8

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Claimant can claim after 90 days if manager does not close the pot

hugoh

Root + Impact

Description

If the manager close the pot after the 90 days, the user could claim the reward with more days than expected (the limit is 90 days). This is unfair for the early claimants and also for the manager which could get a higher cut
Below function should have a check where asks if the 90 days has passed. If that period passed, should exit the function.

function claimCut() public {

address player = msg.sender;

uint256 reward = playersToRewards[player];

if (reward <= 0) {

revert Pot__RewardNotFound();

}

playersToRewards[player] = 0;

remainingRewards -= reward;

claimants.push(player);

_transferReward(player, reward);

}

Risk

Likelihood:

Medium. If the manager "forgets" or is not able to close the pot at day 90, exist the potential issue that some users continue getting the reward.

Impact:

Medium. This means a lesser cut for the manager and for the early claimants.

Proof of Concept

As we can see below, a user cut the reward after 90 days and that is still possible. When we check the user's balance. We see he has got the reward + the remaining. And he should have get nothing being that took the reward late.

function testIssueWithLimitOfDays() public mintAndApproveTokens {

vm.startPrank(user);

rewards = [20, 20];

contest = ContestManager(conMan).createContest(

players,

rewards,

IERC20(ERC20Mock(weth)),

);

ContestManager(conMan).fundContest(0);

vm.stopPrank();

vm.warp(91 days);

vm.startPrank(player1);

uint256 balancePlayer1Before = ERC20Mock(weth).balanceOf(player1);

Pot(contest).claimCut();

vm.stopPrank();

vm.startPrank(player2);

Pot(contest).claimCut();

vm.stopPrank();

vm.startPrank(user);

ContestManager(conMan).closeContest(contest);

uint256 balancePlayer1After = ERC20Mock(weth).balanceOf(player1);

vm.stopPrank();

// @audit: Player1's balance is bigger than zero when shouldn't as more than 90 days have passed.

uint256 balancePlayer1 = balancePlayer1After - balancePlayer1Before;

assert(balancePlayer1 > 0);

}

Recommended Mitigation

We add a check before which control doesn't be able to get the reward after 90 days.

function claimCut() public {

address player = msg.sender;

uint256 reward = playersToRewards[player];

+ if (block.timestamp - i_deployedAt > 90 days) {

+ revert Pot__ClosedForClaim();

+ }

if (reward <= 0) {

revert Pot__RewardNotFound();

}

playersToRewards[player] = 0;

remainingRewards -= reward;

claimants.push(player);

_transferReward(player, reward);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 5 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!