[M-2] Missing Execution Status Check in closePot make Pot Can Be Closed Multiple Times, Allowing Repeated Manager Cut and Reward Misallocation

Description

• Normal behavior: A pot should only be closed once, after the claim period ends, distributing remaining rewards correctly and taking the manager cut

• Issue: closePot() does not track whether it has been executed. Without a state variable (closed flag), the function can be called multiple times, allowing repeated manager cut transfers and multiple distributions of remaining rewards.

Risk

Likelihood : MEDIUM

• Occurs if the owner accidentally or maliciously calls closePot() more than once.

• There is no built-in guard to prevent repeated execution.

Impact:

• The manager could receive multiple cuts of the remaining rewards.

• Claimants’ payouts may be incorrectly redistributed multiple times, leading to accounting inconsistencies.

• Funds may be unfairly depleted or misallocated.

Severity: Medium (M)

Proof of Concept

Explanation:

vm.warp simulates moving past the claim period.

The first closePot() executes normally.

The second closePot() call should fail, but without a closed flag, it executes again, showing the contract does not enforce single execution.

This demonstrates the risk: repeated manager cuts and double payout to claimants.

Recommended Mitigation

Explanation:

Adding a closed flag ensures that closePot() can only be executed once, preventing repeated manager cuts or double distribution of rewards.

The require(!closed) check immediately reverts any subsequent attempts to close the pot, enforcing proper lifecycle control.