MyCut

First Flight #23
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Valid

Incorrect Reward Distribution Calculation in `closePot`

Summary

The closePot function in the Pot contract calculates the distribution of remaining rewards among claimants based on the total number of players rather than the actual number of claimants. This results in incorrect reward allocation if not all players have claimed their rewards.

Vulnerability Detail

The closePot function includes the following code for calculating the claimant's cut:

uint256 claimantCut = (remainingRewards - managerCut) / i_players.length;

This calculation divides the remaining rewards by the total number of players (i_players.length), not the number of actual claimants. This is problematic because if not all players have claimed their rewards, the remaining rewards are distributed among an incorrect number of participants, leading to potential discrepancies in the reward distribution.

Impact

  • Incorrect Distribution: The use of i_players.length for dividing the remaining rewards results in unfair or inaccurate reward allocation, especially if some players have not claimed their rewards.

  • Potential Loss of Funds: Rewards intended for claimants may be misallocated if the distribution is based on the total number of players instead of the actual number of claimants.

Tools Used

Manual Code Review

Recommendations

Update the reward distribution logic to use the number of claimants (claimants.length) instead of the total number of players. This ensures that rewards are distributed accurately to those who have actually claimed their share

Updates

Lead Judging Commences

equious Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Incorrect distribution in closePot()

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.