MyCut

AI First Flight #8

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

closePot() divides by i_players.length instead of claimants.length — claimants receive fractional share and remainder is locked forever

virgilbb

Root + Impact

Description

closePot() is designed to distribute the remaining reward pool among players who called claimCut() before the deadline. After taking the manager cut, the leftover is split equally among the claimants array entries and sent out.
The per-claimant amount is calculated by dividing by i_players.length (total registered players) instead of claimants.length (players who actually claimed). The distribution loop then iterates only over claimants, so the fraction corresponding to every non-claiming player is never distributed and is permanently locked in the contract.

// divisor is total registered players, not actual claimants

uint256 claimantCut = (remainingRewards - managerCut) / i_players.length;

for (uint256 i = 0; i < claimants.length; i++) {

_transferReward(claimants[i], claimantCut);

}

Risk

Likelihood:

Any contest where at least one registered player does not call claimCut() before the 90-day deadline triggers this bug — a routine outcome in every real deployment.
The divergence between i_players.length and claimants.length grows with each non-claiming player, making the locked fraction larger the lower the participation rate.

Impact:

Each claimant receives claimants.length / i_players.length of their entitled share — directly proportional to how many players skipped claiming.
The (1 - claimants.length / i_players.length) fraction of the distributable pool goes to no address and is permanently locked: with 10 registered players and 2 claimants, 80% of the distributable pool is lost forever.

Proof of Concept

Place this test in test/ and run forge test --match-test testClaimantsCutUnderPaid. The test demonstrates that each claimant receives a fraction of their entitled share because the per-claimant amount is divided by total registered players instead of actual claimants.

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

import {Test} from "forge-std/Test.sol";

import {Pot} from "src/Pot.sol";

import {MockERC20} from "test/mocks/MockERC20.sol";

contract H1Test is Test {

MockERC20 token;

Pot pot;

address manager = address(0x1);

address player1 = address(0x2);

address player2 = address(0x3);

address player3 = address(0x4); // will NOT claim

function setUp() public {

token = new MockERC20();

address[] memory players = new address[](3);

players[0] = player1;

players[1] = player2;

players[2] = player3;

uint256[] memory rewards = new uint256[](3);

rewards[0] = 100e18;

rewards[1] = 100e18;

rewards[2] = 100e18;

token.mint(manager, 300e18);

vm.prank(manager);

pot = new Pot(players, rewards, token, 300e18);

vm.prank(manager);

token.transfer(address(pot), 300e18);

}

function testClaimantsCutUnderPaid() public {

// player1 and player2 claim; player3 does not

vm.prank(player1); pot.claimCut();

vm.prank(player2); pot.claimCut();

// Advance 90 days and close

vm.warp(block.timestamp + 91 days);

vm.prank(manager); pot.closePot();

// Each claimant's entitled total: 100e18 (direct claim) + 45e18 (half of 90e18 distributable) = 145e18

// Actual total: 100e18 (direct claim) + 30e18 (claimantCut = 90e18 / 3) = 130e18

uint256 entitledAmount = 145e18;

assertLt(token.balanceOf(player1), entitledAmount, "player1 received less than entitled");

assertLt(token.balanceOf(player2), entitledAmount, "player2 received less than entitled");

assertGt(token.balanceOf(address(pot)), 0, "Tokens permanently locked in pot");

}

Recommended Mitigation

Change the divisor in closePot() from i_players.length to claimants.length so the distributable pool is split evenly among only the players who actually claimed.

- uint256 claimantCut = (remainingRewards - managerCut) / i_players.length;

- for (uint256 i = 0; i < claimants.length; i++) {

- _transferReward(claimants[i], claimantCut);

- }

+ if (claimants.length > 0) {

+ uint256 claimantCut = (remainingRewards - managerCut) / claimants.length;

+ for (uint256 i = 0; i < claimants.length; i++) {

+ _transferReward(claimants[i], claimantCut);

+ }

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Incorrect logic in `Pot::closePot` leads to unfair distribution to `claimants`, potentially locking the funds with no way to take that out

## Description in `closePot` function while calclulating the shares for claimaint cut, `i_players.length` is used, instead of `claimants.length`, causing low amount being distributed to claimants. ## Vulnerability Details [2024-08-MyCut/src/Pot.sol at main · Cyfrin/2024-08-MyCut (github.com)](https://github.com/Cyfrin/2024-08-MyCut/blob/main/src/Pot.sol#L57) `Pot::closePot` function is meant to be called once contest passed 90 days, it sends the owner cut to owner and rest is splitted among the users who claimed b/w 90 days period. However, current implementation is wrong.  It uses total users (i_players.length) instead of the users (claimants.length) who claimed during the duration. This creates an unfair distribution to the participants and some of the funds could be locked in the contract. In worst case scenerio, it could be 90% if nobody has claimed from the protocol during the 90 days duration. ## POC In existing test suite, add following test: ```solidity function testUnfairDistributionInClosePot() public mintAndApproveTokens { // Setup address[] memory testPlayers = new address[](3); testPlayers[0] = makeAddr("player1"); testPlayers[1] = makeAddr("player2"); testPlayers[2] = makeAddr("player3"); uint256[] memory testRewards = new uint256[](3); testRewards[0] = 400; testRewards[1] = 300; testRewards[2] = 300; uint256 testTotalRewards = 1000; // Create and fund the contest vm.startPrank(user); address testContest = ContestManager(conMan).createContest( testPlayers, testRewards, IERC20(ERC20Mock(weth)), testTotalRewards ); ContestManager(conMan).fundContest(0); vm.stopPrank(); // Only player1 claims their reward vm.prank(testPlayers[0]); Pot(testContest).claimCut(); // Fast forward 91 days vm.warp(block.timestamp + 91 days); // Record balances before closing the pot uint256 player1BalanceBefore = ERC20Mock(weth).balanceOf( testPlayers[0] ); // Close the contest vm.prank(user); ContestManager(conMan).closeContest(testContest); // Check balances after closing the pot uint256 player1BalanceAfter = ERC20Mock(weth).balanceOf(testPlayers[0]); // Calculate expected distributions uint256 remainingRewards = 600; // 300 + 300 unclaimed rewards uint256 ownerCut = remainingRewards / 10; // 10% of remaining rewards uint256 distributionPerPlayer = (remainingRewards - ownerCut) / 1; // as only 1 user claimed uint256 fundStucked = ERC20Mock(weth).balanceOf(address(testContest)); // actual results console.log("expected reward:", distributionPerPlayer); console.log( "actual reward:", player1BalanceAfter - player1BalanceBefore ); console.log("Fund stucked:", fundStucked); } ``` then run `forge test --mt testUnfairDistributionInClosePot -vv` in the terminal and it will show following output: ```js [⠊] Compiling... [⠒] Compiling 1 files with Solc 0.8.20 [⠘] Solc 0.8.20 finished in 1.63s Compiler run successful! Ran 1 test for test/TestMyCut.t.sol:TestMyCut [PASS] testUnfairDistributionInClosePot() (gas: 905951) Logs: User Address: 0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D Contest Manager Address 1: 0x7BD1119CEC127eeCDBa5DCA7d1Bd59986f6d7353 Minting tokens to: 0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D Approved tokens to: 0x7BD1119CEC127eeCDBa5DCA7d1Bd59986f6d7353 expected reward: 540 actual reward: 180 Fund stucked: 360 Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.58ms (506.33µs CPU time) ``` ## Impact Loss of funds, Unfair distribution b/w users ## Recommendations Fix the functions as shown below: ```diff function closePot() external onlyOwner { if (block.timestamp - i_deployedAt < 90 days) { revert Pot__StillOpenForClaim(); } if (remainingRewards > 0) { uint256 managerCut = remainingRewards / managerCutPercent; i_token.transfer(msg.sender, managerCut); - uint256 claimantCut = (remainingRewards - managerCut) / i_players.length; + uint256 totalClaimants = claimants.length; + if(totalClaimant == 0){ + _transferReward(msg.sender, remainingRewards - managerCut); + } else { + uint256 claimantCut = (remainingRewards - managerCut) / claimants.length; for (uint256 i = 0; i < claimants.length; i++) { _transferReward(claimants[i], claimantCut); } } + } } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!