MyCut

AI First Flight #8

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

[H-01] `closePot()` divides surplus by total players instead of claimants, permanently locking the majority of unclaimed rewards

webrainsec

Description

MyCut distributes unclaimed reward surplus equally among players who claimed on time. But closePot() divides the surplus by i_players.length (all players) while only distributing to claimants (those who claimed). The gap between these two numbers leaves tokens permanently locked in the Pot with no recovery path.

Vulnerability Details

// src/Pot.sol, line 57-60

uint256 claimantCut = (remainingRewards - managerCut) / i_players.length; // @> divides by ALL players

for (uint256 i = 0; i < claimants.length; i++) { // @> but only loops over claimants

_transferReward(claimants[i], claimantCut);

}

The denominator i_players.length includes players who never claimed. The loop iterates claimants.length times. So (i_players.length - claimants.length) shares are computed but never distributed. Those tokens stay in the Pot contract, which has no withdrawal or rescue function.

The README specifies: "the remainder is distributed equally to those who claimed in time" — the denominator should be claimants.length.

Risk

Likelihood:

This bug triggers every time closePot() runs with at least one non-claimant. In any realistic contest, some players will miss the 90-day window, making this the default scenario.

Impact:

The locked percentage scales with the ratio of non-claimants. With 1 out of 5 players claiming, 80% of the surplus is locked (2880 out of 3600 tokens in the PoC). With 1 out of 100, 99% is locked. The Pot contract has no function to recover these tokens.

PoC

The test creates a 5-player contest with 1000 tokens each (5000 total). Only player1 claims their 1000 tokens, leaving 4000 remaining. After 90 days the owner closes the pot. The manager takes 400 (10%), and the surplus is 3600. Player1 should receive all 3600, but instead gets 720 (3600 / 5). The remaining 2880 tokens are permanently stuck in the Pot.

function testExploit_WrongDenominator() public {

// 5 players, 1000 tokens each, total 5000

address[] memory players = new address[](5);

players[0] = player1;

players[1] = player2;

players[2] = player3;

players[3] = player4;

players[4] = player5;

uint256[] memory rewards = new uint256[](5);

for (uint256 i = 0; i < 5; i++) rewards[i] = 1000e18;

vm.startPrank(admin);

address contest = conMan.createContest(players, rewards, IERC20(token), 5000e18);

conMan.fundContest(0);

vm.stopPrank();

// Only player1 claims

vm.prank(player1);

Pot(contest).claimCut();

assertEq(token.balanceOf(player1), 1000e18);

uint256 player1Before = token.balanceOf(player1);

// Close after 90 days

vm.warp(block.timestamp + 91 days);

vm.prank(admin);

conMan.closeContest(contest);

uint256 player1Surplus = token.balanceOf(player1) - player1Before;

uint256 lockedInPot = token.balanceOf(contest);

// BUG: claimantCut = (4000 - 400) / 5 = 720 per claimant

// Only 1 claimant gets 720. Correct would be 3600/1 = 3600.

assertEq(player1Surplus, 720e18, "Player1 got 720 instead of 3600");

assertEq(lockedInPot, 2880e18, "2880 tokens locked forever in Pot");

}

Recommendations

Change the denominator from i_players.length to claimants.length so that the full surplus goes to players who actually claimed. Add a guard for the zero-claimants edge case to avoid division by zero.

+ if (claimants.length > 0) {

- uint256 claimantCut = (remainingRewards - managerCut) / i_players.length;

+ uint256 claimantCut = (remainingRewards - managerCut) / claimants.length;

for (uint256 i = 0; i < claimants.length; i++) {

_transferReward(claimants[i], claimantCut);

}

+ }

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 13 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Incorrect logic in `Pot::closePot` leads to unfair distribution to `claimants`, potentially locking the funds with no way to take that out

## Description in `closePot` function while calclulating the shares for claimaint cut, `i_players.length` is used, instead of `claimants.length`, causing low amount being distributed to claimants. ## Vulnerability Details [2024-08-MyCut/src/Pot.sol at main · Cyfrin/2024-08-MyCut (github.com)](https://github.com/Cyfrin/2024-08-MyCut/blob/main/src/Pot.sol#L57) `Pot::closePot` function is meant to be called once contest passed 90 days, it sends the owner cut to owner and rest is splitted among the users who claimed b/w 90 days period. However, current implementation is wrong.  It uses total users (i_players.length) instead of the users (claimants.length) who claimed during the duration. This creates an unfair distribution to the participants and some of the funds could be locked in the contract. In worst case scenerio, it could be 90% if nobody has claimed from the protocol during the 90 days duration. ## POC In existing test suite, add following test: ```solidity function testUnfairDistributionInClosePot() public mintAndApproveTokens { // Setup address[] memory testPlayers = new address[](3); testPlayers[0] = makeAddr("player1"); testPlayers[1] = makeAddr("player2"); testPlayers[2] = makeAddr("player3"); uint256[] memory testRewards = new uint256[](3); testRewards[0] = 400; testRewards[1] = 300; testRewards[2] = 300; uint256 testTotalRewards = 1000; // Create and fund the contest vm.startPrank(user); address testContest = ContestManager(conMan).createContest( testPlayers, testRewards, IERC20(ERC20Mock(weth)), testTotalRewards ); ContestManager(conMan).fundContest(0); vm.stopPrank(); // Only player1 claims their reward vm.prank(testPlayers[0]); Pot(testContest).claimCut(); // Fast forward 91 days vm.warp(block.timestamp + 91 days); // Record balances before closing the pot uint256 player1BalanceBefore = ERC20Mock(weth).balanceOf( testPlayers[0] ); // Close the contest vm.prank(user); ContestManager(conMan).closeContest(testContest); // Check balances after closing the pot uint256 player1BalanceAfter = ERC20Mock(weth).balanceOf(testPlayers[0]); // Calculate expected distributions uint256 remainingRewards = 600; // 300 + 300 unclaimed rewards uint256 ownerCut = remainingRewards / 10; // 10% of remaining rewards uint256 distributionPerPlayer = (remainingRewards - ownerCut) / 1; // as only 1 user claimed uint256 fundStucked = ERC20Mock(weth).balanceOf(address(testContest)); // actual results console.log("expected reward:", distributionPerPlayer); console.log( "actual reward:", player1BalanceAfter - player1BalanceBefore ); console.log("Fund stucked:", fundStucked); } ``` then run `forge test --mt testUnfairDistributionInClosePot -vv` in the terminal and it will show following output: ```js [⠊] Compiling... [⠒] Compiling 1 files with Solc 0.8.20 [⠘] Solc 0.8.20 finished in 1.63s Compiler run successful! Ran 1 test for test/TestMyCut.t.sol:TestMyCut [PASS] testUnfairDistributionInClosePot() (gas: 905951) Logs: User Address: 0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D Contest Manager Address 1: 0x7BD1119CEC127eeCDBa5DCA7d1Bd59986f6d7353 Minting tokens to: 0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D Approved tokens to: 0x7BD1119CEC127eeCDBa5DCA7d1Bd59986f6d7353 expected reward: 540 actual reward: 180 Fund stucked: 360 Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.58ms (506.33µs CPU time) ``` ## Impact Loss of funds, Unfair distribution b/w users ## Recommendations Fix the functions as shown below: ```diff function closePot() external onlyOwner { if (block.timestamp - i_deployedAt < 90 days) { revert Pot__StillOpenForClaim(); } if (remainingRewards > 0) { uint256 managerCut = remainingRewards / managerCutPercent; i_token.transfer(msg.sender, managerCut); - uint256 claimantCut = (remainingRewards - managerCut) / i_players.length; + uint256 totalClaimants = claimants.length; + if(totalClaimant == 0){ + _transferReward(msg.sender, remainingRewards - managerCut); + } else { + uint256 claimantCut = (remainingRewards - managerCut) / claimants.length; for (uint256 i = 0; i < claimants.length; i++) { _transferReward(claimants[i], claimantCut); } } + } } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!