MyCut

AI First Flight #8
Beginner FriendlyFoundry
EXP
View results
Submission Details
Severity: high
Valid

Logic vs Spec Mismatch in claimantCut Permanently Locks Funds

Description

There is a critical discrepancy between the protocol's intended specification and its mathematical implementation in Pot.sol. The project documentation explicitly states: "the remainder is distributed equally to those who claimed in time!"

However, within the closePot function, the code calculates the individual claimantCut by dividing the remaining rewards by the total number of initial players (i_players.length), rather than the actual number of users who successfully claimed (claimants.length). The subsequent for loop then distributes this artificially reduced amount only to the addresses in the claimants array. This mathematical flaw results in a massive portion of the remaining reward pool being left undistributed.

Risk

A severe and permanent lock of user funds. For example, if only 10% of the initial players claim their rewards, the contract will only distribute 10% of the remaining pool, leaving 90% of the tokens permanently locked in the contract with no sweep or recovery mechanism available.

Proof of Concept

The following Foundry test mathematically proves that the wrong denominator leads to locked tokens inside the contract after closure.

Solidity

function test_LockedFundsDueToWrongDenominator() public {
// Setup context:
// 10 players total (`i_players.length` = 10).
// Total reward pool is 1000 tokens (100 tokens allocated per player).
// 1. Only 2 players claim their cut within the 90 days (`claimants.length` = 2).
vm.prank(player1);
pot.claimCut();
vm.prank(player2);
pot.claimCut();
// Remaining in pot = 800 tokens.
// According to Docs: These 800 tokens should be split equally between player1 & player2 (400 each).
vm.warp(block.timestamp + 91 days);
uint256 contractBalanceBefore = token.balanceOf(address(pot)); // 800 tokens
// 2. Manager closes the pot
vm.prank(pot.owner());
pot.closePot();
uint256 contractBalanceAfter = token.balanceOf(address(pot));
// The Vulnerability Math:
// The contract divided 800 by 10 (i_players.length) = 80 tokens per claimant.
// It distributed 80 * 2 (claimants.length) = 160 tokens total.
// 800 - 160 = 640 tokens are permanently locked!
assertGt(contractBalanceAfter, 0);
assertEq(contractBalanceAfter, 640 ether);
}

Recommended Mitigation

Correct the denominator in the claimantCut calculation to strictly align with the documented specifications by using the length of the claimants array.

Solidity

// In Pot.sol -> closePot()
// Change the denominator from i_players.length to claimants.length
- uint256 claimantCut = (remainingRewards - managerCut) / i_players.length;
+ uint256 claimantCut = (remainingRewards - managerCut) / claimants.length;
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 5 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-02] Incorrect logic in `Pot::closePot` leads to unfair distribution to `claimants`, potentially locking the funds with no way to take that out

## Description in `closePot` function while calclulating the shares for claimaint cut, `i_players.length` is used, instead of `claimants.length`, causing low amount being distributed to claimants. ## Vulnerability Details [2024-08-MyCut/src/Pot.sol at main · Cyfrin/2024-08-MyCut (github.com)](https://github.com/Cyfrin/2024-08-MyCut/blob/main/src/Pot.sol#L57) `Pot::closePot` function is meant to be called once contest passed 90 days, it sends the owner cut to owner and rest is splitted among the users who claimed b/w 90 days period. However, current implementation is wrong.&#x20; It uses total users (i_players.length) instead of the users (claimants.length) who claimed during the duration. This creates an unfair distribution to the participants and some of the funds could be locked in the contract. In worst case scenerio, it could be 90% if nobody has claimed from the protocol during the 90 days duration. ## POC In existing test suite, add following test: ```solidity function testUnfairDistributionInClosePot() public mintAndApproveTokens { // Setup address[] memory testPlayers = new address[](3); testPlayers[0] = makeAddr("player1"); testPlayers[1] = makeAddr("player2"); testPlayers[2] = makeAddr("player3"); uint256[] memory testRewards = new uint256[](3); testRewards[0] = 400; testRewards[1] = 300; testRewards[2] = 300; uint256 testTotalRewards = 1000; // Create and fund the contest vm.startPrank(user); address testContest = ContestManager(conMan).createContest( testPlayers, testRewards, IERC20(ERC20Mock(weth)), testTotalRewards ); ContestManager(conMan).fundContest(0); vm.stopPrank(); // Only player1 claims their reward vm.prank(testPlayers[0]); Pot(testContest).claimCut(); // Fast forward 91 days vm.warp(block.timestamp + 91 days); // Record balances before closing the pot uint256 player1BalanceBefore = ERC20Mock(weth).balanceOf( testPlayers[0] ); // Close the contest vm.prank(user); ContestManager(conMan).closeContest(testContest); // Check balances after closing the pot uint256 player1BalanceAfter = ERC20Mock(weth).balanceOf(testPlayers[0]); // Calculate expected distributions uint256 remainingRewards = 600; // 300 + 300 unclaimed rewards uint256 ownerCut = remainingRewards / 10; // 10% of remaining rewards uint256 distributionPerPlayer = (remainingRewards - ownerCut) / 1; // as only 1 user claimed uint256 fundStucked = ERC20Mock(weth).balanceOf(address(testContest)); // actual results console.log("expected reward:", distributionPerPlayer); console.log( "actual reward:", player1BalanceAfter - player1BalanceBefore ); console.log("Fund stucked:", fundStucked); } ``` then run `forge test --mt testUnfairDistributionInClosePot -vv` in the terminal and it will show following output: ```js [⠊] Compiling... [⠒] Compiling 1 files with Solc 0.8.20 [⠘] Solc 0.8.20 finished in 1.63s Compiler run successful! Ran 1 test for test/TestMyCut.t.sol:TestMyCut [PASS] testUnfairDistributionInClosePot() (gas: 905951) Logs: User Address: 0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D Contest Manager Address 1: 0x7BD1119CEC127eeCDBa5DCA7d1Bd59986f6d7353 Minting tokens to: 0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D Approved tokens to: 0x7BD1119CEC127eeCDBa5DCA7d1Bd59986f6d7353 expected reward: 540 actual reward: 180 Fund stucked: 360 Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.58ms (506.33µs CPU time) ``` ## Impact Loss of funds, Unfair distribution b/w users ## Recommendations Fix the functions as shown below: ```diff function closePot() external onlyOwner { if (block.timestamp - i_deployedAt < 90 days) { revert Pot__StillOpenForClaim(); } if (remainingRewards > 0) { uint256 managerCut = remainingRewards / managerCutPercent; i_token.transfer(msg.sender, managerCut); - uint256 claimantCut = (remainingRewards - managerCut) / i_players.length; + uint256 totalClaimants = claimants.length; + if(totalClaimant == 0){ + _transferReward(msg.sender, remainingRewards - managerCut); + } else { + uint256 claimantCut = (remainingRewards - managerCut) / claimants.length; for (uint256 i = 0; i < claimants.length; i++) { _transferReward(claimants[i], claimantCut); } } + } } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!