MyCut

AI First Flight #8

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Incorrect reward distribution in closePot function

s3mvl4d

Description

After the 90‑day claim period, the protocol should take a fixed manager cut from the remaining (unclaimed) rewards, and then distribute the entire remainder equally among the players who actually claimed in time (i.e., the claimants), in accordance with the contest description.
closePot() computes each claimant’s share using the total number of players (i_players.length) instead of the number of claimants (claimants.length). As a result, the amount transferred to claimants is too small when not all players claimed, leaving undistributed tokens stuck in the contract and underpaying legitimate claimants.

function closePot() external onlyOwner {

if (block.timestamp - i_deployedAt < 90 days) {

revert Pot__StillOpenForClaim();

}

if (remainingRewards > 0) {

uint256 managerCut = remainingRewards / managerCutPercent;

i_token.transfer(msg.sender, managerCut);

// @> BUG: uses i_players.length instead of claimants.length

uint256 claimantCut = (remainingRewards - managerCut) / i_players.length;

for (uint256 i = 0; i < claimants.length; i++) {

_transferReward(claimants[i], claimantCut);

}

Risk

Likelihood: High

Many real contests have partial participation, so it’s common that fewer than all players claim before the deadline. In those cases, this miscalculation is consistently triggered.
The function executes whenever the manager closes a pot after 90 days and any rewards remain, making the error a routine occurrence in normal operation.

Impact: High

Underpayment of claimants: Claimants receive a smaller per‑person amount than intended, violating the protocol’s stated rules.
Funds stuck in contract: The undistributed remainder stays in the contract causing accounting drift and stranded funds.

Proof of Concept

Copy the code below to TestMyCut.t.sol.
Run command forge test --mt testIncorrectRewardDistribution -vv.

function testIncorrectRewardDistribution() public mintAndApproveTokens {

// Setup token balances for manager and fund the pot with 30 tokens.

// Players: 3, rewards: 10 each, totalRewards: 30.

address alice = address(0xA1);

address bob = address(0xB2);

address charlie = address(0xC3);

players = new address[](3);

players[0] = alice;

players[1] = bob;

players[2] = charlie;

rewards = new uint256[](3);

rewards[0] = 10;

rewards[1] = 10;

rewards[2] = 10;

totalRewards = 30;

vm.startPrank(user);

contest = ContestManager(conMan).createContest(players, rewards, IERC20(ERC20Mock(weth)), totalRewards);

ContestManager(conMan).fundContest(0);

vm.stopPrank();

vm.prank(alice); // transfers 10, remainingRewards = 20

Pot(contest).claimCut();

vm.prank(bob); // transfers 10, remainingRewards = 10

Pot(contest).claimCut();

// Charlie does not claim his reward, so remainingRewards = 10

// Fast-forward >90 days and close:

vm.warp(91 days);

vm.prank(user);

ContestManager(conMan).closeContest(contest);

// Actual with incorrect logic:

// managerCut = 10 / 10 = 1

// claimantCut = (10 - 1) / i_players.length = 9 / 3 = 3

// Transfers: alice 3, bob 3; 3 tokens remain in the contract (undistributed)

// Intended: claimantCut should be (10 - 1) / claimants.length = 9 / 2 = 4 (floor)

// -> alice 4, bob 4, remainder 1 (should be handled deterministically)

// Assertions:

assertEq(weth.balanceOf(alice), 13); // 10 original + 3 redistributed (UNDERPAID)

assertEq(weth.balanceOf(bob), 13); // UNDERPAID

assertEq(weth.balanceOf(address(contest)), 3); // Stuck in Pot contract

// Logging for clarity, expected vs. actual balances:

emit log_named_uint("Alice balance (expected 14), actual: ", weth.balanceOf(alice));

emit log_named_uint("Bob balance (expected 14), actual: ", weth.balanceOf(bob));

emit log_named_uint("Pot contract balance (expected 1), actual: ", weth.balanceOf(address(contest)));

}

Output:

[⠊] Compiling...

No files changed, compilation skipped

Ran 1 test for test/TestMyCut.t.sol:TestMyCut

[PASS] testIncorrectRewardDistribution() (gas: 1321656)

Logs:

User Address: 0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D

Contest Manager Address 1: 0x7BD1119CEC127eeCDBa5DCA7d1Bd59986f6d7353

Minting tokens to: 0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D

Approved tokens to: 0x7BD1119CEC127eeCDBa5DCA7d1Bd59986f6d7353

Alice balance (expected 14), actual: : 13

Bob balance (expected 14), actual: : 13

Pot contract balance (expected 1), actual: : 3

Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 3.14ms (898.30µs CPU time)

Ran 1 test suite in 15.82ms (3.14ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)

Recommended Mitigation

Use the number of claimants for the split, decrement remainingRewards to reflect actual payouts, and define how to handle rounding remainders deterministically (e.g., send leftover dust to the manager or leave it in reserves). Also guard against zero claimants to avoid division by zero.

function closePot() external onlyOwner {

if (block.timestamp - i_deployedAt < 90 days) {

revert Pot__StillOpenForClaim();

}

if (remainingRewards > 0) {

- uint256 managerCut = remainingRewards / managerCutPercent;

- i_token.transfer(msg.sender, managerCut);

- uint256 claimantCut = (remainingRewards - managerCut) / i_players.length;

- for (uint256 i = 0; i < claimants.length; i++) {

- _transferReward(claimants[i], claimantCut);

- }

+ uint256 managerCut = remainingRewards / managerCutPercent;

+ i_token.transfer(msg.sender, managerCut);

+ uint256 distributable = remainingRewards - managerCut;

+ uint256 nClaimants = claimants.length;

+ // No claimants: just reduce remainingRewards by the manager cut and exit

+ if (nClaimants == 0) {

+ remainingRewards -= managerCut;

+ return;

+ }

+ uint256 claimantCut = distributable / nClaimants; // split among actual claimants

+ for (uint256 i = 0; i < nClaimants; i++) {

+ _transferReward(claimants[i], claimantCut);

+ }

+ // Update accounting and handle integer division remainder deterministically

+ uint256 paid = claimantCut * nClaimants;

+ uint256 leftover = distributable - paid;

+ // Send leftover to manager (or a reserve address) to avoid dust

+ if (leftover > 0) {

+ i_token.transfer(msg.sender, leftover);

+ }

+ remainingRewards -= (managerCut + paid + leftover);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 6 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Incorrect logic in `Pot::closePot` leads to unfair distribution to `claimants`, potentially locking the funds with no way to take that out

## Description in `closePot` function while calclulating the shares for claimaint cut, `i_players.length` is used, instead of `claimants.length`, causing low amount being distributed to claimants. ## Vulnerability Details [2024-08-MyCut/src/Pot.sol at main · Cyfrin/2024-08-MyCut (github.com)](https://github.com/Cyfrin/2024-08-MyCut/blob/main/src/Pot.sol#L57) `Pot::closePot` function is meant to be called once contest passed 90 days, it sends the owner cut to owner and rest is splitted among the users who claimed b/w 90 days period. However, current implementation is wrong.  It uses total users (i_players.length) instead of the users (claimants.length) who claimed during the duration. This creates an unfair distribution to the participants and some of the funds could be locked in the contract. In worst case scenerio, it could be 90% if nobody has claimed from the protocol during the 90 days duration. ## POC In existing test suite, add following test: ```solidity function testUnfairDistributionInClosePot() public mintAndApproveTokens { // Setup address[] memory testPlayers = new address[](3); testPlayers[0] = makeAddr("player1"); testPlayers[1] = makeAddr("player2"); testPlayers[2] = makeAddr("player3"); uint256[] memory testRewards = new uint256[](3); testRewards[0] = 400; testRewards[1] = 300; testRewards[2] = 300; uint256 testTotalRewards = 1000; // Create and fund the contest vm.startPrank(user); address testContest = ContestManager(conMan).createContest( testPlayers, testRewards, IERC20(ERC20Mock(weth)), testTotalRewards ); ContestManager(conMan).fundContest(0); vm.stopPrank(); // Only player1 claims their reward vm.prank(testPlayers[0]); Pot(testContest).claimCut(); // Fast forward 91 days vm.warp(block.timestamp + 91 days); // Record balances before closing the pot uint256 player1BalanceBefore = ERC20Mock(weth).balanceOf( testPlayers[0] ); // Close the contest vm.prank(user); ContestManager(conMan).closeContest(testContest); // Check balances after closing the pot uint256 player1BalanceAfter = ERC20Mock(weth).balanceOf(testPlayers[0]); // Calculate expected distributions uint256 remainingRewards = 600; // 300 + 300 unclaimed rewards uint256 ownerCut = remainingRewards / 10; // 10% of remaining rewards uint256 distributionPerPlayer = (remainingRewards - ownerCut) / 1; // as only 1 user claimed uint256 fundStucked = ERC20Mock(weth).balanceOf(address(testContest)); // actual results console.log("expected reward:", distributionPerPlayer); console.log( "actual reward:", player1BalanceAfter - player1BalanceBefore ); console.log("Fund stucked:", fundStucked); } ``` then run `forge test --mt testUnfairDistributionInClosePot -vv` in the terminal and it will show following output: ```js [⠊] Compiling... [⠒] Compiling 1 files with Solc 0.8.20 [⠘] Solc 0.8.20 finished in 1.63s Compiler run successful! Ran 1 test for test/TestMyCut.t.sol:TestMyCut [PASS] testUnfairDistributionInClosePot() (gas: 905951) Logs: User Address: 0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D Contest Manager Address 1: 0x7BD1119CEC127eeCDBa5DCA7d1Bd59986f6d7353 Minting tokens to: 0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D Approved tokens to: 0x7BD1119CEC127eeCDBa5DCA7d1Bd59986f6d7353 expected reward: 540 actual reward: 180 Fund stucked: 360 Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.58ms (506.33µs CPU time) ``` ## Impact Loss of funds, Unfair distribution b/w users ## Recommendations Fix the functions as shown below: ```diff function closePot() external onlyOwner { if (block.timestamp - i_deployedAt < 90 days) { revert Pot__StillOpenForClaim(); } if (remainingRewards > 0) { uint256 managerCut = remainingRewards / managerCutPercent; i_token.transfer(msg.sender, managerCut); - uint256 claimantCut = (remainingRewards - managerCut) / i_players.length; + uint256 totalClaimants = claimants.length; + if(totalClaimant == 0){ + _transferReward(msg.sender, remainingRewards - managerCut); + } else { + uint256 claimantCut = (remainingRewards - managerCut) / claimants.length; for (uint256 i = 0; i < claimants.length; i++) { _transferReward(claimants[i], claimantCut); } } + } } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!