MyCut
First Flight #23
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Pot can not be closed if a player is blacklisted account

MrCrowNFT

Summary

Certain ERC-20 like USDC or USDT, have a blacklisted mechanism on its code, and on Pot::closePot, the protocol uses a for loop to distriute the unclaimed rewards between the players who claimed theirs. If one of the players gets blacklisted in the time they claimed their prize and the time the closePot function is called, the latter will fail making it imposible to close the pot.

Vulnerability Details

The following code snipet points where the function will fail, as a blacklisted account will make the for loop revert.

function closePot() external onlyOwner {
if (block.timestamp - i_deployedAt < 90 days) {
revert Pot__StillOpenForClaim();
}
if (remainingRewards > 0) {
uint256 managerCut = remainingRewards / managerCutPercent;
i_token.transfer(msg.sender, managerCut);
uint256 claimantCut = (remainingRewards - managerCut) / i_players.length;
for (uint256 i = 0; i < claimants.length; i++) {
@> _transferReward(claimants[i], claimantCut);
}
}
}

Impact

Pot will not be able to be closed, manager wouldn't get his cut percent and the remaining rewards woudl not be able to be distributed to the claimants, efectively locking the unclaimed money.

Tools Used

Foundry and Manual review

Recommendations

Insted of distributing the amounts rightaway you may calculate the cut of every participant and put it in an array, ass well as, adding a function so that they themselves claim it, that way the pot can be closed regardless of the blacklisted accounts. Aditionally you may create a function where the player can change the address where he wants to recieve the prize.

Updates

Lead Judging Commences

equious Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.