Summary:

Incorrect distribution of remaining rewards among claimants in the closePot function. The function incorrectly divides the remaining rewards (after the manager's cut) by the total number of players (i_players.length) instead of by the number of actual claimants (claimants.length), leading to potential misallocation of funds.

Vulnerability Details:

The closePot function is responsible for distributing the remaining rewards after 90 days to the claimants and the manager. The function currently calculates each claimant's share of the remaining rewards by dividing the remaining rewards (after deducting the manager's cut) by the total number of players (i_players.length). This approach is flawed because it assumes that all players have claimed their rewards, which is not necessarily the case. As a result, the rewards are incorrectly allocated among all players rather than just the claimants.

Vulnerability Location:
Pot.sol: Line 57

Impact:

This vulnerability could lead to an incorrect distribution of rewards:

• Overpayment or Underpayment: Claimants may receive more or less than their rightful share of the remaining rewards, causing financial discrepancies and potential disputes.

• Loss of Trust: Users may lose trust in the protocol due to perceived unfairness or mismanagement of funds.

• Potential Exploit: Players might strategically delay their claims or avoid claiming altogether if they believe the distribution mechanism is flawed, impacting the protocol's integrity.

Tools Used:

• Manual Review

Recommendations:

To mitigate this issue, modify the calculation in the closePot function to divide the remaining rewards by the number of actual claimants (claimants.length) instead of the total number of players (i_players.length). This ensures that only players who have claimed their rewards receive a portion of the remaining rewards.

Updated Function: