Manager's Cut Tokens Will Be Locked in the ContestManager Contract
Summary
The closePot function attempts to transfer the manager's cut directly to msg.sender, which is the ContestManager contract. Since this contract does not have a withdrawal function to handle ERC20 token transfers, the manager's cut tokens will remain locked in the ContestManager contract after the pot is closed.
Vulnerability Detail
The closePot function contains the following code to transfer the manager's cut:
Since each Pot instance is deployed by the ContestManager, the pot owner in this case will refers to the ContestManager contract. In this current implementation, the ContestManager contract does not have a mechanism to withdraw the ERC20 tokens, leaving the manager's cut tokens locked and inaccessible.
Impact
Tokens intended as the manager’s cut will be locked and inaccessible, since the ContestManager contract does not support ERC20 token withdrawals.
Tools Used
Manual Code Review
Recommendations
Add a withdraw function to the ContestManager contract that allows the owner to claim ERC20 tokens. This function should be callable only by the contract owner and should be used to withdraw the manager's cut after each closePot action. This ensures that the manager’s cut tokens are accessible and can be properly claimed:
Lead Judging Commences
Owner's cut is stuck in ContestManager
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.