MyCut

AI First Flight #8

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Incorrect Bonus Distribution Calculation Locks Funds Permanently

akovachev7

Root + Impact

Description

According to the MyCut protocol specification, after 90 days the consolemanager should "take a cut of the remaining pool and the remainder is distributed equally to those who claimed in time."
However, the closePot() function incorrectly calculates the bonus distribution by dividing the bonus pool by the total number of players instead of the number of actual claimants.

This causes underpayment to eligible claimants and permanently locks the difference in the contract.

function closePot() external onlyOwner {

if (block.timestamp - i_deployedAt < 90 days) {

revert Pot__StillOpenForClaim();

}

if (remainingRewards > 0) {

uint256 managerCut = remainingRewards / managerCutPercent;

i_token.transfer(msg.sender, managerCut);

//@audit: Divides by i_players.length (total players)

@> uint256 claimantCut = (remainingRewards - managerCut) / i_players.length;

//@audit: But distributes to claimants.length (only those who claimed)

@> for (uint256 i = 0; i < claimants.length; i++) {

_transferReward(claimants[i], claimantCut);

}

The issue arises when:

i_players.length = total number of players (e.g., 3)
claimants.length = number who claimed (e.g., 2)

The calculation divides the bonus pool by 3, but only distributes to 2 claimants. This leaves bonusPool * (1 - claimants.length/i_players.length) permanently locked in the contract.

Risk

Likelihood:

High - This bug triggers whenever fewer than all players claim their rewards, which is the primary use case the protocol is designed for (distributing unclaimed rewards).

Impact:

High - Multiple severe consequences:

Permanent Fund Locking: Portion of bonus pool remains locked forever with no recovery mechanism
Claimants Underpaid: Users who claimed in time receive less than their fair share
Violates Core Business Logic: Contradicts the fundamental promise that the remainder is "distributed equally to those who claimed"

Proof of Concept

The test testUnclaimedRewardDistribution_incorrect_result demonstrates this vulnerability:

function testUnclaimedRewardDistribution_incorrect_result()

public

mintAndApproveTokens

{

vm.startPrank(user);

address player3 = makeAddr("player3");

address[] memory new_players = new address[](3);

new_players[0] = player1;

new_players[1] = player2;

new_players[2] = player3;

rewards = [500, 500, 1000];

totalRewards = 2000;

contest = ContestManager(conMan).createContest(

new_players,

rewards,

IERC20(ERC20Mock(weth)),

totalRewards

);

ContestManager(conMan).fundContest(0);

vm.stopPrank();

// Only player1 and player2 claim (player3 doesn't claim 1000)

vm.startPrank(player1);

Pot(contest).claimCut(); // Claims 500

vm.stopPrank();

vm.startPrank(player2);

Pot(contest).claimCut(); // Claims 500

vm.stopPrank();

// Remaining: 1000 (player3's unclaimed reward)

vm.warp(91 days);

uint256 userBalanceBefore = ERC20Mock(weth).balanceOf(user);

uint256 claimantBalanceBefore_Player1 = ERC20Mock(weth).balanceOf(player1);

uint256 claimantBalanceBefore_Player2 = ERC20Mock(weth).balanceOf(player2);

vm.startPrank(user);

ContestManager(conMan).closeContest(contest);

vm.stopPrank();

uint256 userBalanceAfter = ERC20Mock(weth).balanceOf(user);

uint256 claimantBalanceAfter_Player1 = ERC20Mock(weth).balanceOf(player1);

uint256 claimantBalanceAfter_Player2 = ERC20Mock(weth).balanceOf(player2);

uint256 contestBalance = ERC20Mock(weth).balanceOf(contest);

// EXPECTED (correct) behavior:

// Remaining: 1000

// Manager cut: 1000 / 10 = 100

// Bonus pool: 1000 - 100 = 900

// Claimants: 2 (player1 and player2)

// Each claimant: 900 / 2 = 450

assertEq(userBalanceAfter - userBalanceBefore, 100); // Manager gets 100

assertEq(claimantBalanceAfter_Player1 - claimantBalanceBefore_Player1, 450); // Player1 gets 450

assertEq(claimantBalanceAfter_Player2 - claimantBalanceBefore_Player2, 450); // Player2 gets 450

assertEq(contestBalance, 0); // No funds left locked

}

Recommended Mitigation

Change the division to use the actual number of claimants instead of total players:

function closePot() external onlyOwner {

if (block.timestamp - i_deployedAt < 90 days) {

revert Pot__StillOpenForClaim();

}

if (remainingRewards > 0) {

uint256 managerCut = remainingRewards / managerCutPercent;

i_token.transfer(msg.sender, managerCut);

- uint256 claimantCut = (remainingRewards - managerCut) / i_players.length;

+ uint256 claimantCut = (remainingRewards - managerCut) / claimants.length;

for (uint256 i = 0; i < claimants.length; i++) {

_transferReward(claimants[i], claimantCut);

}

This fix ensures that the bonus pool is correctly distributed according to the protocol specification: "the remainder is distributed equally to those who claimed in time."

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 1 hour ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Incorrect logic in `Pot::closePot` leads to unfair distribution to `claimants`, potentially locking the funds with no way to take that out

## Description in `closePot` function while calclulating the shares for claimaint cut, `i_players.length` is used, instead of `claimants.length`, causing low amount being distributed to claimants. ## Vulnerability Details [2024-08-MyCut/src/Pot.sol at main · Cyfrin/2024-08-MyCut (github.com)](https://github.com/Cyfrin/2024-08-MyCut/blob/main/src/Pot.sol#L57) `Pot::closePot` function is meant to be called once contest passed 90 days, it sends the owner cut to owner and rest is splitted among the users who claimed b/w 90 days period. However, current implementation is wrong.  It uses total users (i_players.length) instead of the users (claimants.length) who claimed during the duration. This creates an unfair distribution to the participants and some of the funds could be locked in the contract. In worst case scenerio, it could be 90% if nobody has claimed from the protocol during the 90 days duration. ## POC In existing test suite, add following test: ```solidity function testUnfairDistributionInClosePot() public mintAndApproveTokens { // Setup address[] memory testPlayers = new address[](3); testPlayers[0] = makeAddr("player1"); testPlayers[1] = makeAddr("player2"); testPlayers[2] = makeAddr("player3"); uint256[] memory testRewards = new uint256[](3); testRewards[0] = 400; testRewards[1] = 300; testRewards[2] = 300; uint256 testTotalRewards = 1000; // Create and fund the contest vm.startPrank(user); address testContest = ContestManager(conMan).createContest( testPlayers, testRewards, IERC20(ERC20Mock(weth)), testTotalRewards ); ContestManager(conMan).fundContest(0); vm.stopPrank(); // Only player1 claims their reward vm.prank(testPlayers[0]); Pot(testContest).claimCut(); // Fast forward 91 days vm.warp(block.timestamp + 91 days); // Record balances before closing the pot uint256 player1BalanceBefore = ERC20Mock(weth).balanceOf( testPlayers[0] ); // Close the contest vm.prank(user); ContestManager(conMan).closeContest(testContest); // Check balances after closing the pot uint256 player1BalanceAfter = ERC20Mock(weth).balanceOf(testPlayers[0]); // Calculate expected distributions uint256 remainingRewards = 600; // 300 + 300 unclaimed rewards uint256 ownerCut = remainingRewards / 10; // 10% of remaining rewards uint256 distributionPerPlayer = (remainingRewards - ownerCut) / 1; // as only 1 user claimed uint256 fundStucked = ERC20Mock(weth).balanceOf(address(testContest)); // actual results console.log("expected reward:", distributionPerPlayer); console.log( "actual reward:", player1BalanceAfter - player1BalanceBefore ); console.log("Fund stucked:", fundStucked); } ``` then run `forge test --mt testUnfairDistributionInClosePot -vv` in the terminal and it will show following output: ```js [⠊] Compiling... [⠒] Compiling 1 files with Solc 0.8.20 [⠘] Solc 0.8.20 finished in 1.63s Compiler run successful! Ran 1 test for test/TestMyCut.t.sol:TestMyCut [PASS] testUnfairDistributionInClosePot() (gas: 905951) Logs: User Address: 0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D Contest Manager Address 1: 0x7BD1119CEC127eeCDBa5DCA7d1Bd59986f6d7353 Minting tokens to: 0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D Approved tokens to: 0x7BD1119CEC127eeCDBa5DCA7d1Bd59986f6d7353 expected reward: 540 actual reward: 180 Fund stucked: 360 Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.58ms (506.33µs CPU time) ``` ## Impact Loss of funds, Unfair distribution b/w users ## Recommendations Fix the functions as shown below: ```diff function closePot() external onlyOwner { if (block.timestamp - i_deployedAt < 90 days) { revert Pot__StillOpenForClaim(); } if (remainingRewards > 0) { uint256 managerCut = remainingRewards / managerCutPercent; i_token.transfer(msg.sender, managerCut); - uint256 claimantCut = (remainingRewards - managerCut) / i_players.length; + uint256 totalClaimants = claimants.length; + if(totalClaimant == 0){ + _transferReward(msg.sender, remainingRewards - managerCut); + } else { + uint256 claimantCut = (remainingRewards - managerCut) / claimants.length; for (uint256 i = 0; i < claimants.length; i++) { _transferReward(claimants[i], claimantCut); } } + } } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!