MyCut

First Flight #23
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Valid

Manager's Cut Tokens Will Be Locked in the ContestManager Contract

Summary

The closePot function attempts to transfer the manager's cut directly to msg.sender, which is the ContestManager contract. Since this contract does not have a withdrawal function to handle ERC20 token transfers, the manager's cut tokens will remain locked in the ContestManager contract after the pot is closed.

Vulnerability Detail

The closePot function contains the following code to transfer the manager's cut:

i_token.transfer(msg.sender, managerCut);

Since each Pot instance is deployed by the ContestManager, the pot owner in this case will refers to the ContestManager contract. In this current implementation, the ContestManager contract does not have a mechanism to withdraw the ERC20 tokens, leaving the manager's cut tokens locked and inaccessible.

Impact

Tokens intended as the manager’s cut will be locked and inaccessible, since the ContestManager contract does not support ERC20 token withdrawals.

Tools Used

Manual Code Review

Recommendations

Add a withdraw function to the ContestManager contract that allows the owner to claim ERC20 tokens. This function should be callable only by the contract owner and should be used to withdraw the manager's cut after each closePot action. This ensures that the manager’s cut tokens are accessible and can be properly claimed:

Updates

Lead Judging Commences

equious Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Owner's cut is stuck in ContestManager

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.