The closePot
function attempts to transfer the manager's cut directly to msg.sender
, which is the ContestManager
contract. Since this contract does not have a withdrawal function to handle ERC20 token transfers, the manager's cut tokens will remain locked in the ContestManager
contract after the pot is closed.
The closePot
function contains the following code to transfer the manager's cut:
Since each Pot instance is deployed by the ContestManager
, the pot owner in this case will refers to the ContestManager
contract. In this current implementation, the ContestManager
contract does not have a mechanism to withdraw the ERC20 tokens, leaving the manager's cut tokens locked and inaccessible.
Tokens intended as the manager’s cut will be locked and inaccessible, since the ContestManager
contract does not support ERC20 token withdrawals.
Manual Code Review
Add a withdraw function to the ContestManager
contract that allows the owner to claim ERC20 tokens. This function should be callable only by the contract owner and should be used to withdraw the manager's cut after each closePot
action. This ensures that the manager’s cut tokens are accessible and can be properly claimed:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.