The Protocol is not Compatible with Fee on Transfer token
Summary
The ContestManager.sol and Pot.sol contracts are not compatible with Fee on transfer tokens, these tokens are tokens that tax each transfer, so the amount received is less than the amount sent.
Vulnerability Details
The vulnerability starts from the ContestManager.sol:fundContest function, it transfers the totalRewards to the pot but for Fees on transfer tokens, the amount received is less than the amount sent. This will lead to the pot having less totalRewards than intended because of this the last set of recipients will not be able to claim.
The Pot.sol contract uses the _transferRewardfunction to transfer rewards, this function doesn't support Fees on transfer tokens either.
Impact
Some users won't be able to claim their cut as the balance.
The manager will not be able to close the pot.
The manager won't be able to close the pot because the transaction will revert, as the remaining rewards will be greater than the contract's actual balance.
Tools Used
Manual analysis
Recommendations
-
Do not use Fee on transfer token with the protocol.
-
Design the protocol to support Fees on transfer tokens.
-function _transferReward(address player, uint256 reward) internal {+function _transferReward(address player, uint256 reward) internal returns (uint) {- i_token.transfer(player, reward);+ uint balanceBefore = i_token.balanceOf(address(this));+}
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.