MyCut
First Flight #23
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Incorrect percentage calculation in closePot() results in manager claiming less or more than intended

PureSecurity

Summary

In the closePot() function, there is an incorrect calculation of the manager's cut. The current code divides remainingRewards by managerCutPercent, which leads to incorrect percentages. For example, with a managerCutPercent of 20, the manager receives only 5% instead of the intended 20%. This miscalculation can cause the manager to claim either too much or too little, depending on the percentage value.

Vulnerability Details

In the closePot() function, the line responsible for calculating the manager's cut is as follows:

uint256 managerCut = remainingRewards / managerCutPercent;

Here, the remainingRewards is divided by managerCutPercent (which is intended to represent a percentage).

uint256 private constant managerCutPercent = 10;

However, if this constant is for example 20, dividing by 20 does not give 20% of the rewards, but rather 5%. The correct approach is to calculate the percentage of the remainingRewards by multiplying it by managerCutPercent and then dividing by 100.

For example:

  • If remainingRewards = 1000 and managerCutPercent = 20, the current calculation would result in 1000 / 20 = 50, which is only 5% of the total amount, not the intended 20%.

  • The correct calculation should be 1000 * 20 / 100 = 200, which properly calculates 20% of the remaining rewards.

Impact

Due to the incorrect calculation of the manager's cut, the following issues may occur:

  1. Manager Claims Less Than Intended: With a managerCutPercent of 20, the manager would only receive 5% of the remainingRewards instead of 20%. This could significantly reduce the manager's cut, leading to an unintended loss of rewards.

  2. Manager Claims More Than Intended (Depending on managerCutPercent): In cases where the managerCutPercent is lower, the manager could end up claiming a larger portion of the rewards than intended, creating unfair distribution for claimants.

  3. Unfair Distribution: Incorrect manager cut calculations affect the remaining rewards available for distribution among claimants, which can lead to an unfair outcome.

    Steps to Reproduce the Issue:

    1. Step 1: Deploy the Pot contract and set managerCutPercent to 20.

    2. Step 2: Allow some claimants to claim their rewards.

    3. Step 3: Call the closePot() function before the claim period expires.

    4. Expected Outcome: The manager should receive 20% of the remaining rewards.

    5. Actual Outcome: The manager only receives 5% of the remainingRewards.

Tools Used

Manual Review

Recommendations

To fix this issue, modify the managerCut calculation in the closePot() function. Instead of dividing remainingRewards by managerCutPercent, calculate the correct percentage by multiplying remainingRewards by managerCutPercent and then dividing by 100.

Replace this line:

uint256 managerCut = remainingRewards / managerCutPercent;

with:

uint256 managerCut = remainingRewards * managerCutPercent / 100;

This will ensure that the manager receives the correct percentage of the remainingRewards and that the remaining rewards are distributed fairly among the claimants.

Updates

Lead Judging Commences

equious Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Erroneous ManagerCut calculation

Appeal created

abhishekthakur Auditor
about 1 year ago
josh4324 Auditor
about 1 year ago
equious Lead Judge
about 1 year ago
equious Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.