MyCut

Description The reward distribution protocol, which manages a pot of rewards for players, is incompatible with rebasing tokens. This incompatibility creates a discrepancy between the recorded reward amounts for each player and the actual token balances available for distribution.

Impact

1. Users may receive incorrect reward amounts:
   In the case of positive rebasing, users might receive less than their actual share.
   In the case of negative rebasing, the contract might attempt to send more tokens than available.

2. The total distributed rewards may not match the actual balance held by the contract.

3. This discrepancy could lead to funds being locked in the contract or unfair distribution among players.

Proof of Concept

1. The protocol stores the total rewards and individual player rewards in an array.

2. Rebasing tokens in the contract's address undergo supply adjustments (rebasing).

3. The stored values in the array remain static and do not reflect these supply adjustments.

4. When a user withdraws, they receive the amount recorded in the array, which may not match the actual
   rebased token balance.

Recommended Mitigation

1. Dynamic Balance Tracking: Implement a mechanism to update stored reward values after each rebasing event. This could involve creating a hook that is triggered by rebasing events.

2. Regular Balance Reconciliation: Implement a function to periodically reconcile stored values with actual token balances. Adjust individual reward records proportionally based on any discrepancies found.