MyCut

First Flight #23

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Unable to close pot when remaining rewards are less than the total claimant.

joshuajee

Vulnerability Details

After 90 days the pot can be closed by the ContestManager contract, the ContestManager takes 10% of the remaining and sends the rest to the people who claimed. It divides the remaining funds and sends them individually to the people who claim. The problem here is that some tokens have around 2 decimals. Such tokens could easily pose a risk.

For example, there are 1000 recipients and 10000 tokens to share equally, 999 claimed so the remaining tokens are 10.

The manager takes 10% which is 1, so the number of tokens remaining to share with the claimant is 9.

Remember the token has two decimal places so the real value is 900, if we divide 900 by 999 we will get 0.

So zero will be transferred to every claimant, this could potentially revert or just waste gas for the owner.

function closePot() external onlyOwner {

if (block.timestamp - i_deployedAt < 90 days) {

revert Pot__StillOpenForClaim();

}

if (remainingRewards > 0) {

uint256 managerCut = remainingRewards / managerCutPercent;

i_token.transfer(msg.sender, managerCut);

@-> uint256 claimantCut = (remainingRewards - managerCut) / i_players.length;

for (uint256 i = 0; i < claimants.length; i++) {

_transferReward(claimants[i], claimantCut);

}

Impact

Funds will be lost forever because zero will be sent to all the claimants.
Waste of gas for the called
Revert due to zero transfer error, so the manager doesn't get their cut.

Tools Used

Manual Analysis

Recommendations

if the total funds remaining are smaller than the claimants send everything to the owner.
Don't use tokens with very small decimal places.

Updates

Lead Judging Commences

equious Lead Judge

9 months ago

equious Lead Judge 9 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Dusty Pot

Rewards breakdown

nSLOC

106

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.