Vulnerability Details

The `closePot()` function is designed to distribute remaining rewards between the contest manager and the claimants after a contest has been closed (post 90 days). However, the current implementation of the manager's cut calculation contains a critical flaw in the way it performs the division operation:

This formula uses Solidity's integer division, which truncates any fractional results. If `remainingRewards` is less than `managerCutPercent`, the division will result in `0`, causing the manager to receive no rewards, even though they are entitled to a portion.

Impact

• Loss of Funds for Manager: If the calculated `managerCut` is `0` due to the truncation caused by integer division, the manager may not receive any portion of the rewards, which is a significant financial loss. This issue can occur in cases where the remaining rewards are relatively small compared to the `managerCutPercent`.

• Unintended Contract Behavior: The discrepancy in expected versus actual rewards could lead to unexpected behaviors in the contract, particularly if other logic depends on the correct distribution of funds.

Proof Of Concept

Consider a scenario where:

- `remainingRewards = 9`

- `managerCutPercent = 10`

Given the current implementation:

This calculation results in `managerCut` being `0`, meaning no rewards will be transferred to the manager.

Tools Used

Manual Review

Recommendations

To ensure that the manager receives the correct cut of the rewards, modify the division logic as follows:

This formula multiplies the `remainingRewards` by `managerCutPercent` first, then divides by `100` to correctly account for percentage calculations. This approach prevents the truncation issue and ensures that the manager receives the appropriate portion of the rewards.