MyCut

Summary

This report identifies a vulnerability in the MyCut contest rewards distribution protocol, specifically in the closePot() function. According to the protocol, claimants have a 90-day window to claim their rewards. However, the owner of the contract is able to call the closePot() function on Day 90, prematurely ending the contest and preventing participants from claiming their rewards on Day 90 itself. This violates the expected behavior, where participants should have the full 90 days to claim, and the pot should only close on Day 91.

Vulnerability Details

The MyCut protocol specifies that claimants are given 90 days to claim their rewards after participating in a contest. Once the 90-day period has passed, the manager can take a cut of the remaining unclaimed rewards, and the remainder is distributed among those who claimed within the allowed window.

However, the protocol allows the owner to call the closePot() function on Day 90 itself. This prematurely ends the claim window, preventing participants from claiming rewards on Day 90, even though the claim window is technically still open. This creates a discrepancy between the intended behavior (the pot closes after 90 full days) and the actual behavior (the pot can be closed at any point on Day 90).

https://github.com/Cyfrin/2024-08-MyCut/blob/main/src/Pot.sol#L49

Impact

Denial of Claims: If the owner calls closePot() on Day 90, claimants who attempt to claim their rewards on the same day will be unable to do so, leading to unfair denial of their rightful rewards.

Tools Used

Manual Review

Recommendations

The check for Pot__StillOpenForClaim() should be <= not <