MyCut

Summary

The closePot function in the Pot contract incorrectly calculates the manager’s cut of the remaining rewards. The current calculation results in the manager receiving a much larger portion of the remaining rewards than intended. This could lead to significant financial losses for the claimants and disrupt the fair distribution of rewards.

Vulnerability Details

In the closePot function, the manager's cut is calculated as remainingRewards / managerCutPercent, where managerCutPercent is set to 10. This calculation incorrectly divides the remainingRewards by 10, rather than taking 10% of the remainingRewards.

For example, if remainingRewards is 1000 tokens, the current calculation would give the manager 1000 / 10 = 100 tokens. However, this does not represent 10% of the total rewards but rather 10% of the total amount directly. In a more extreme case, if managerCutPercent is incorrectly set or misunderstood, the manager could receive a much larger share, which could be nearly all of the remainingRewards, leaving little to nothing for the claimants.

Impact

• Financial Loss: Claimants could receive a significantly smaller portion of the rewards than intended.

• Unfair Distribution: The incorrect distribution logic could undermine the trust in the system, as the manager might end up with a disproportionately large share of the rewards.

• Legal and Compliance Risks: Incorrect reward distribution could lead to legal and compliance issues, especially if the project has obligations to distribute funds according to a specified ratio.

Tools Used

Manual Review

Recommendations

To correctly calculate 10% of the remainingRewards, modify the closePot function to use the following formula:

This ensures that the manager receives exactly 10% of the remainingRewards, and the remaining 90% is correctly distributed among the claimants.