MyCut

Summary:

The contract does not validate that the players array is non-empty during initialization. This missing validation can cause a divide-by-zero error in the closePot function if the array is empty, resulting in funds being locked in the contract and becoming irretrievable.

Vulnerability Details:

The Pot contract's constructor currently does not check if the players array has any entries. If deployed with an empty players array, this will lead to a divide-by-zero error when closePot is called and attempts to calculate claimantCut using i_players.length (which would be zero). This flaw causes the entire reward distribution to fail, locking the funds in the contract permanently.

Vulnerability Location:
Pot.sol: Line 57

Impact:

The impact of this vulnerability includes:

• Locked Funds: The funds sent to the contract, including the owner's funds, will be permanently locked if the contract was initialized with an empty players array.

• Denial of Service: The contract’s main functionality (distributing rewards and allowing the owner to claim their cut) becomes unusable due to the divide-by-zero error.

• Potential Financial Loss: Users and the owner may incur a total loss of funds due to the inability to recover or distribute them properly.

Tools Used:

• Manual Review

Recommendations:

To mitigate this issue, the constructor should include a validation check to ensure that the players array is not empty. If the array is empty, the contract should revert during deployment, preventing any future divide-by-zero errors.