MyCut

Summary

The Pot::closePot function incorrectly transfers the Pot::managerCut to the ContestManager contract instead of the owner of the ContestManager. Additionally, the ContestManager contract lacks a function to allow the owner to withdraw these funds, leading to potential fund lockup.

Vulnerability Details

In the Pot::closePot function, when the pot is closed, the Pot::managerCut—a portion of the remaining rewards—is transferred to msg.sender:

Since Pot::closePot is marked with onlyOwner, the msg.sender here refers to the ContestManager contract itself, not the actual owner of the ContestManager. As a result, the managerCut is transferred to the ContestManager contract instead of the intended recipient, the owner of the ContestManager.

Furthermore, the ContestManager contract does not provide any function that allows the owner to withdraw these funds. This omission means that the funds transferred as Pot::managerCut could become permanently locked within the ContestManager contract, making them inaccessible to the intended recipient.

Impact

Locked Funds: The Pot::managerCut funds may become permanently locked within the ContestManager contract, rendering them inaccessible to the owner. This could result in a significant loss of funds, especially if the Pot::managerCut represents a substantial portion of the remaining rewards.

Tools Used

Manual Review

Recommendation

Consider implementing a withdrawal function in the ContestManager contract that allows the owner to withdraw any funds that may have been incorrectly transferred to the contract:

Or update the Pot::closePot function to correctly transfer the Pot::managerCut directly to the owner of the ContestManager contract rather than to msg.sender.