MyCut

AI First Flight #8

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

`claimantCut` is calculated using all players causing claimants to receive fewer rewards

jfornells

Root + Impact

Pot::closePot calculates claimantCut divided by i_players.length (total players) instead of claimants.length (players who claimed), resulting in each claimant receiving fewer tokens than entitled to and permanently trapping the remainder in the Pot contract.

Field	Value
Severity	High
Likelihood	High

Description

closePot() must transfer 10% of remainingRewards to the owner and divide the rest equally among players who called claimCut(). The bug is that the division uses i_players.length (all registered players) instead of claimants.length (only those who claimed). Since i_players.length >= claimants.length, each claimant receives less than their fair share and the difference is permanently locked in the contract with no recovery mechanism.

function closePot() external onlyOwner {

if (block.timestamp - i_deployedAt < 90 days) {

revert Pot__StillOpenForClaim();

}

if (remainingRewards > 0) {

uint256 managerCut = remainingRewards / managerCutPercent;

i_token.transfer(msg.sender, managerCut);

@> uint256 claimantCut = (remainingRewards - managerCut) / i_players.length; // should be claimants.length

for (uint256 i = 0; i < claimants.length; i++) {

_transferReward(claimants[i], claimantCut);

}

Risk

Likelihood: Triggered on every closePot() call as long as at least one player did not claim — which is the intended use case of the function.

Impact: Every claimant receives (remainingRewards - managerCut) / i_players.length instead of the correct (remainingRewards - managerCut) / claimants.length. The shortfall is locked forever.

Concrete example (matching PoC): 4 players × 1 WETH each. 3 claim via claimCut(), leaving remainingRewards = 1e18. Owner takes 10% (1e17), leaving 9e17 to distribute.

Correct: 9e17 / 3 = 3e17 per claimant → total distributed 9e17, trapped 0.
Actual: 9e17 / 4 = 225e15 per claimant → total distributed 675e15, trapped 225e15 (25%).

The trapped percentage scales with the ratio of non-claimants to total players: more unclaimed players = higher loss.

Proof of Concept

Setup: 4 players, 1 WETH each. 3 claim on time. Owner closes after 90 days.
The logs show each claimant receives 225e15 instead of the correct 300e15, and 225e15 WETH is permanently trapped.

function test_Remaining_Rewards_Are_Divided_By_Players_Intead_Of_Claimants() public {

// There are 4 players, 1 weth each

// 3 players call claimCut() — player2 does not claim

address[3] memory pClaim = [player1, player3, player4];

for (uint256 i; i < pClaim.length; i++) {

vm.prank(pClaim[i]);

pot.claimCut();

}

uint256 rewardAmount = 1e18;

// Players have received their individual rewards

assertEq(weth.balanceOf(player1), rewardAmount);

assertEq(weth.balanceOf(player3), rewardAmount);

assertEq(weth.balanceOf(player4), rewardAmount);

// 1 WETH remains (player2 did not claim) — to be split between owner and claimants

uint256 remaningRewards = pot.getRemainingRewards();

assertEq(remaningRewards, 1e18);

// Advance past 90 days to allow closePot()

vm.warp(block.timestamp + 90 days);

// Owner closes the pot — bug: divides by i_players.length (4) not claimants.length (3)

vm.prank(ownerContest);

contest.closeContest(address(pot));

// Owner correctly receives 10% = 1e17

uint256 amountToOwner = remaningRewards / 10;

assertEq(weth.balanceOf(address(contest)), amountToOwner);

// Expected amount per claimant: 9e17 / 3 = 3e17

uint256 expectedPerClaimant = (remaningRewards - amountToOwner) / pClaim.length;

console.log("Expected per claimant (9e17/3)..:", expectedPerClaimant);

console.log("Player1 actually received........:", weth.balanceOf(player1) - rewardAmount);

console.log("Player3 actually received........:", weth.balanceOf(player3) - rewardAmount);

console.log("Player4 actually received........:", weth.balanceOf(player4) - rewardAmount);

uint256 amountReceived = weth.balanceOf(player1) - rewardAmount;

uint256 amountLost = expectedPerClaimant - amountReceived;

// Each claimant loses 75e15 because divisor was 4 instead of 3

console.log("Each claimant lost (75e15)......:", amountLost);

// 3 * 75e15 = 225e15 permanently trapped in Pot

console.log("WETH permanently trapped in Pot.:", weth.balanceOf(address(pot)));

}

Logs:

Expected per claimant (9e17/3)..: 300000000000000000

Player1 actually received........: 225000000000000000

Player3 actually received........: 225000000000000000

Player4 actually received........: 225000000000000000

Each claimant lost (75e15).......: 75000000000000000

WETH permanently trapped in Pot.: 225000000000000000

Recommended Mitigation

Replace i_players.length with claimants.length so the distributable amount is divided only among those who actually claimed.

- uint256 claimantCut = (remainingRewards - managerCut) / i_players.length;

+ uint256 claimantCut = (remainingRewards - managerCut) / claimants.length;

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 18 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Incorrect logic in `Pot::closePot` leads to unfair distribution to `claimants`, potentially locking the funds with no way to take that out

## Description in `closePot` function while calclulating the shares for claimaint cut, `i_players.length` is used, instead of `claimants.length`, causing low amount being distributed to claimants. ## Vulnerability Details [2024-08-MyCut/src/Pot.sol at main · Cyfrin/2024-08-MyCut (github.com)](https://github.com/Cyfrin/2024-08-MyCut/blob/main/src/Pot.sol#L57) `Pot::closePot` function is meant to be called once contest passed 90 days, it sends the owner cut to owner and rest is splitted among the users who claimed b/w 90 days period. However, current implementation is wrong.  It uses total users (i_players.length) instead of the users (claimants.length) who claimed during the duration. This creates an unfair distribution to the participants and some of the funds could be locked in the contract. In worst case scenerio, it could be 90% if nobody has claimed from the protocol during the 90 days duration. ## POC In existing test suite, add following test: ```solidity function testUnfairDistributionInClosePot() public mintAndApproveTokens { // Setup address[] memory testPlayers = new address[](3); testPlayers[0] = makeAddr("player1"); testPlayers[1] = makeAddr("player2"); testPlayers[2] = makeAddr("player3"); uint256[] memory testRewards = new uint256[](3); testRewards[0] = 400; testRewards[1] = 300; testRewards[2] = 300; uint256 testTotalRewards = 1000; // Create and fund the contest vm.startPrank(user); address testContest = ContestManager(conMan).createContest( testPlayers, testRewards, IERC20(ERC20Mock(weth)), testTotalRewards ); ContestManager(conMan).fundContest(0); vm.stopPrank(); // Only player1 claims their reward vm.prank(testPlayers[0]); Pot(testContest).claimCut(); // Fast forward 91 days vm.warp(block.timestamp + 91 days); // Record balances before closing the pot uint256 player1BalanceBefore = ERC20Mock(weth).balanceOf( testPlayers[0] ); // Close the contest vm.prank(user); ContestManager(conMan).closeContest(testContest); // Check balances after closing the pot uint256 player1BalanceAfter = ERC20Mock(weth).balanceOf(testPlayers[0]); // Calculate expected distributions uint256 remainingRewards = 600; // 300 + 300 unclaimed rewards uint256 ownerCut = remainingRewards / 10; // 10% of remaining rewards uint256 distributionPerPlayer = (remainingRewards - ownerCut) / 1; // as only 1 user claimed uint256 fundStucked = ERC20Mock(weth).balanceOf(address(testContest)); // actual results console.log("expected reward:", distributionPerPlayer); console.log( "actual reward:", player1BalanceAfter - player1BalanceBefore ); console.log("Fund stucked:", fundStucked); } ``` then run `forge test --mt testUnfairDistributionInClosePot -vv` in the terminal and it will show following output: ```js [⠊] Compiling... [⠒] Compiling 1 files with Solc 0.8.20 [⠘] Solc 0.8.20 finished in 1.63s Compiler run successful! Ran 1 test for test/TestMyCut.t.sol:TestMyCut [PASS] testUnfairDistributionInClosePot() (gas: 905951) Logs: User Address: 0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D Contest Manager Address 1: 0x7BD1119CEC127eeCDBa5DCA7d1Bd59986f6d7353 Minting tokens to: 0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D Approved tokens to: 0x7BD1119CEC127eeCDBa5DCA7d1Bd59986f6d7353 expected reward: 540 actual reward: 180 Fund stucked: 360 Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.58ms (506.33µs CPU time) ``` ## Impact Loss of funds, Unfair distribution b/w users ## Recommendations Fix the functions as shown below: ```diff function closePot() external onlyOwner { if (block.timestamp - i_deployedAt < 90 days) { revert Pot__StillOpenForClaim(); } if (remainingRewards > 0) { uint256 managerCut = remainingRewards / managerCutPercent; i_token.transfer(msg.sender, managerCut); - uint256 claimantCut = (remainingRewards - managerCut) / i_players.length; + uint256 totalClaimants = claimants.length; + if(totalClaimant == 0){ + _transferReward(msg.sender, remainingRewards - managerCut); + } else { + uint256 claimantCut = (remainingRewards - managerCut) / claimants.length; for (uint256 i = 0; i < claimants.length; i++) { _transferReward(claimants[i], claimantCut); } } + } } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!