MyCut

First Flight #23

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

There isn't a way to withdraw the `manager cut` from the `ContestManager` contract

vasquez

Summary

There isn't a way to withdraw the manager cut from the ContestManager contract

Vulnerability Details

Since the ContestManager.sol is the owner of the Pot contracts, when the closeContest::ContestManager function is being called, the managerCut is being sent to the ContestManager contract and there is no way to withdraw it from there, leading to the locking of the funds in there forever.

https://github.com/Cyfrin/2024-08-MyCut/blob/946231db0fe717039429a11706717be568d03b54/src/Pot.sol#L54

Impact

There is no way to withdraw the managerCut from any contest and it's always going to end up locked in the ContestManager contract.

Tools Used

Manual Review

Recommendations

Add a function to withdraw the managerCut from the ContestManager contract.
Something like that:

function withdrawManagerCut(IERC20 token) public onlyOwner {

uint256 balance = token.balanceOf(address(this));

require(balance > 0, "ContestManager: No funds to withdraw");

token.transfer(owner(), balance);

}

Updates

Lead Judging Commences

equious Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Owner's cut is stuck in ContestManager

Rewards breakdown

nSLOC

106

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.