Incorrect Reward Distribution Calculation in `closePot`
Summary
The closePot function in the Pot contract calculates the distribution of remaining rewards among claimants based on the total number of players rather than the actual number of claimants. This results in incorrect reward allocation if not all players have claimed their rewards.
Vulnerability Detail
The closePot function includes the following code for calculating the claimant's cut:
This calculation divides the remaining rewards by the total number of players (i_players.length), not the number of actual claimants. This is problematic because if not all players have claimed their rewards, the remaining rewards are distributed among an incorrect number of participants, leading to potential discrepancies in the reward distribution.
Impact
Incorrect Distribution: The use of
i_players.lengthfor dividing the remaining rewards results in unfair or inaccurate reward allocation, especially if some players have not claimed their rewards.Potential Loss of Funds: Rewards intended for claimants may be misallocated if the distribution is based on the total number of players instead of the actual number of claimants.
Tools Used
Manual Code Review
Recommendations
Update the reward distribution logic to use the number of claimants (claimants.length) instead of the total number of players. This ensures that rewards are distributed accurately to those who have actually claimed their share
Lead Judging Commences
Incorrect distribution in closePot()
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.