MyCut

First Flight #23

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Incorrect Distribution of Remaining Rewards

bbash

Summary

An issue was identified in the Pot smart contract where the remaining rewards after the manager's cut are distributed incorrectly. The contract distributes these rewards among all players (i_players) instead of only those who claimed their rewards within the designated period (claimants). This behavior deviates from the intended functionality, potentially leading to unfair distribution and dissatisfaction among the participants.

Vulnerability Details

The issue is in this line:

https://github.com/Cyfrin/2024-08-MyCut/blob/main/src/Pot.sol#L57

uint256 claimantCut = (remainingRewards - managerCut) / i_players.length;

The contract erroneously uses i_players.length to determine the distribution of remaining rewards after the manager’s cut. However, according to the project documentation, only players who have claimed their rewards within 90 days (i.e., claimants) should be eligible to receive a share of the remaining rewards. Using i_players.length could lead to incorrect reward distribution, including players who did not participate in the claim.

Proof of Concept (PoC):

Here’s how the issue manifests in the current contract:

Initial Setup:

Suppose there are 10 players eligible to claim rewards.
Only 3 of these players claim their rewards within the 90-day window.

Issue Occurrence:

After the 90-day period, the closePot() function is called.
The remaining rewards are calculated and divided by i_players.length (10), rather than claimants.length (3).
As a result, the remaining rewards are diluted among all players, including those who did not claim.

Impact:

Players who were active and claimed their rewards are unfairly rewarded.
Players who did not claim their rewards get a share they should not receive.

Impact

The intended fair distribution of remaining rewards among claimants is compromised, leading to dissatisfaction among participants.
The contract's behavior deviates from the documented functionality, potentially leading to trust issues among users.

Tools Used

Manual Review

Recommendations

Here is the updated code:

uint256 claimantCut = (remainingRewards - managerCut) / claimants.length;

This change ensures that the remaining rewards are distributed only among the players who actively participated in the reward claiming process within the designated period. It aligns the contract’s behavior with the documented expectations and ensures fair treatment of all participants.

Updates

Lead Judging Commences

equious Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect distribution in closePot()

Rewards breakdown

nSLOC

106

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.