MyCut
First Flight #23
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

[H-03] Precision loss can lead to rewards getting stuck in the pot forever

madhuvarun

[H-03] Precision loss can lead to rewards getting stuck in the pot forever

Description: When contest manager closes the pot by calling Pot::closePot, 10 percent of the remaining rewards are transferred to the contest manager and the rest are distributed equally among the claimants. It does this by dividing the rewards by the manager's cut percentage which is 10. Then the remaining rewards are divided by the number of players to distribute equally among claimants. Since solidity allows only integer division this will lead to precision loss which will cause a portion of funds to be left in the pot forever. Each pot follows the same method, so as number of pots grow, the loss of funds is very significant.

Impact: Reward tokens get stuck in the pot forever which causes loss of funds.

Proof of code:

Add the below test to test/TestMyCut.t.sol

function testPrecisionLoss() public mintAndApproveTokens {
ContestManager cm = ContestManager(conMan);
uint playersLength = 3;
address[] memory p = new address[](playersLength);
uint256[] memory r = new uint256[](playersLength);
uint tr = 86;
p[0] = makeAddr("_player1");
p[1] = makeAddr("_player2");
p[2] = makeAddr("_player3");
r[0] = 20;
r[1] = 23;
r[2] = 43;
vm.startPrank(user);
address pot = cm.createContest(p, r, weth, tr);
cm.fundContest(0);
vm.stopPrank();
console.log("\n\ntoken balance in pot before: ", weth.balanceOf(pot));
vm.prank(p[1]); // player 2
Pot(pot).claimCut();
vm.prank(p[0]); // player 1
Pot(pot).claimCut();
vm.prank(user);
vm.warp(block.timestamp + 90 days + 1);
cm.closeContest(pot);
console.log(
"\n\ntoken balance in pot after closing pot: ",
weth.balanceOf(pot)
);
assert(weth.balanceOf(pot) != 0);
}

Run the below test command in terminal

forge test --mt testPrecisionLoss -vv

Which results in the below output

[⠒] Compiling...
[⠆] Compiling 1 files with 0.8.20
[⠰] Solc 0.8.20 finished in 2.57s
Compiler run successful!
Ran 1 test for test/TestMyCut.t.sol:TestMyCut
[PASS] testPrecisionLoss() (gas: 936926)
Logs:
token balance in pot before: 86
token balance in pot after closing pot: 1
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.75ms (654.60µs CPU time)
Ran 1 test suite in 261.16ms (1.75ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)

If you observe the output you can see the pot still has rewards despite distributing them to claimants.

Recommended Mitigations:

Fixed-Point Arithmetic: Utilize a fixed-point arithmetic library or implement a custom solution to handle fee calculations with greater precision.

Tools used: Solidity, VSCode

Updates

Lead Judging Commences

equious Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Dusty Pot

Appeal created

madhuvarun Submitter
about 1 year ago
equious Lead Judge
about 1 year ago
madhuvarun Submitter
about 1 year ago
equious Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Dusty Pot

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.