ContestManager::createContest never checks that the sum of rewards equals totalRewards, allowing over-allocation that DoSes late claimers or under-allocation that strands funds
Summary
createContest accepts players[], rewards[], and a totalRewards figure with no invariant that the per-player rewards actually sum to totalRewards. If the allocations sum to more than the funded total, late claimers' transfers revert once the Pot runs dry; if they sum to less, the difference inflates the residue and is mis-handled at close.
Description
The Pot is funded with totalRewards (via fundContest), and remainingRewards is initialized to totalRewards. But each player's claimable amount comes from rewards[], an independent array. Nothing reconciles sum(rewards) against totalRewards, so the funded pool and the promised allocations can diverge arbitrarily.
Risk
Over-allocation (sum(rewards) > totalRewards): early claimers drain the Pot, and later valid claimers' claimCut reverts on an insufficient balance - a denial of service that depends only on claim ordering. Under-allocation (sum(rewards) totalRewards, an early claim succeeds and a later valid claim reverts on insufficient Pot balance.
Recommended Mitigation
Enforce the invariant at creation:
uint256 sum;
for (uint256 i = 0; i < rewards.length; i++) sum += rewards[i];
require(sum == totalRewards, "allocation mismatch");
Also require players.length == rewards.length explicitly.
Tools Used
Foundry (forge), manual review.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.