Submission Details
Impact:
Likelihood:
[H] user still can claim after 90 days or closePot
[H] user still can claim after 90 days or closePot
Description
-
User still can claim after 90 days or closePot. The claim function does not check the time.
-
And, closePot not clear user's claim credit
playersToRewards, user can still claim after close pot.
@> function claimCut() public {
address player = msg.sender;
uint256 reward = playersToRewards[player];
if (reward <= 0) {
revert Pot__RewardNotFound();
}
playersToRewards[player] = 0;
remainingRewards -= reward;
claimants.push(player);
_transferReward(player, reward);
}
Risk
Likelihood: High
User always can claim after 90 days or close pot.
Impact: High
This sure will break protocol's purpose!
Proof of Concept
Pot pass 90 days or closed
User still can call claim
Recommended Mitigation
In claim function, add check for time and if pot has closed:
function claimCut() public {
+ if (block.timestamp - i_deployedAt > 90 days) {
+ revert Pot__NotOpenForClaim();
+ }
address player = msg.sender;
uint256 reward = playersToRewards[player];
if (reward <= 0) {
revert Pot__RewardNotFound();
}
playersToRewards[player] = 0;
remainingRewards -= reward;
claimants.push(player);
_transferReward(player, reward);
}
Rewards breakdown
This contest has a flat reward structure with the following payouts:
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.