MyCut

First Flight #23

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Potential for DoS in `Pot::closePot` function

0xiceman

Summary

The Pot::closePot function should distribute remaining rewards to the claimants after the contest has been closed. However, if any of the claimants are unable to receive the reward tokens it will prevent anyone from claiming their cut of unclaimed tokens.

Vulnerability Details

In the Pot::closePot function, the remaining rewards are distributed to the claimants:

function closePot() external onlyOwner {

if (block.timestamp - i_deployedAt < 90 days) {

revert Pot__StillOpenForClaim();

}

if (remainingRewards > 0) {

uint256 managerCut = remainingRewards / managerCutPercent;

i_token.transfer(msg.sender, managerCut);

uint256 claimantCut = (remainingRewards - managerCut) / i_players.length;

for (uint256 i = 0; i < claimants.length; i++) {

_transferReward(claimants[i], claimantCut);

}

function _transferReward(address player, uint256 reward) internal {

i_token.transfer(player, reward);

}

If any of the claimants are unable to receive the tokens, for example, due to blacklisting, the transfer call will revert, causing the entire closePot function to revert.

Impact

If any of the claimants are unable to receive their reward tokens, the entire closePot function will revert, preventing the contest from being closed and locking all remaining funds in the contract. This means that neither the claimants nor the contest manager will be able to access the locked funds.

Tools Used

Manual Code Review

Recommendations

To mitigate this issue, the _transferReward function should be modified to handle individual failed transfers without causing the entire function to revert. One approach is to use a try-catch block to catch any exceptions and continue with the distribution of rewards to the remaining claimants.

Updates

Lead Judging Commences

equious Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Rewards breakdown

nSLOC

106

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.