MyCut

First Flight #23

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

The Manager Cut's Tokens Locked In ContestManager

evmninja

Summary

The tokens sent to ContestManager contract as a part of the manager's cut from the Pot contract are unclaimable by the ContestManager's owner.

Vulnerability Details

When function ContestManager::closeContest() is successfully called by the ContestManager's Owner (we will refer to this actor as Owner, assuming that they are an EOA), the related Pot contract will execute Pot::closePot(). Since the Pot's owner is ContestManager, then the manager's cut (calculated on line 54) is transferred to the ContestManager contract on line 55.

Since there is no way for the Owner to claim the assets that now belong to the ContestManager, then the assets are forever locked and unclaimable.

Impact

Loss of assets that should have been owned by the Owner.

Tools Used

Manual review.

Recommendations

Consider transferring the assets to the Owner once they are received by the ContestManager contract. Alternatively, provide a function for the Owner to claim the assets manually.

Updates

Lead Judging Commences

equious Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Owner's cut is stuck in ContestManager

Rewards breakdown

nSLOC

106

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.