MyCut
AI First Flight #8
Beginner FriendlyFoundry
EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: low
Invalid

Missing reentrancy guard on closePot allows ERC777 or hook-bearing tokens to drain the pot via double distribution

virgilbb

Root + Impact

Description

  • closePot() distributes rewards to all entries in the claimants array by iterating the array and calling _transferReward for each. claimCut() correctly zeroes the player mapping before transferring, following checks-effects-interactions.

  • closePot() has no reentrancy guard and does not zero remainingRewards or clear claimants before beginning distribution. If the token implements ERC777 _afterTokenTransfer hooks, a claimant contract can re-enter closePot from within its hook during the distribution loop, restarting the loop while the original state is still intact and paying all claimants again from the remaining balance.

function closePot() external onlyOwner {
// ...
// @> remainingRewards not zeroed; claimants not cleared before loop
for (uint256 i = 0; i < claimants.length; i++) {
// @> each transfer is a reentrancy surface for ERC777 / hook tokens
_transferReward(claimants[i], claimantCut);
}
}

Risk

Likelihood:

  • The pot token is supplied at construction time and not constrained to a specific implementation. Any ERC777 token or ERC20 with _afterTokenTransfer hooks (OpenZeppelin ERC20 extensions) is a valid trigger.

  • The contest creator or an attacker who convinces the manager to use such a token enables the attack.

Impact:

  • Every claimant in the distribution loop is paid multiple times until the pot balance is exhausted. Tokens are drained beyond the designed payout, with excess taken from the shares of other claimants or from the contract balance entirely.

  • The attack is deterministic once the token type is known — any claimant who is a contract can execute it reliably.

Proof of Concept

Static analysis is sufficient for this finding. closePot() loops over claimants calling claimCut() for each, but remainingRewards is not zeroed and claimants is not cleared before the loop begins. An ERC777 token or any token with a transfer hook could re-enter closePot() or claimCut() during the distribution loop, receiving payment multiple times before state is updated.

grep -n "remainingRewards\|claimants\|closePot\|claimCut" src/Pot.sol
14: address[] private claimants;
19: uint256 private remainingRewards;
27: remainingRewards = totalRewards;
37: function claimCut() public {
44: remainingRewards -= reward;
45: claimants.push(player);
49: function closePot() external onlyOwner {
53: if (remainingRewards > 0) {
54: uint256 managerCut = remainingRewards / managerCutPercent;
57: uint256 claimantCut = (remainingRewards - managerCut) / i_players.length;
58: for (uint256 i = 0; i < claimants.length; i++) {
59: _transferReward(claimants[i], claimantCut);
77: return remainingRewards;

closePot() at line 49 iterates claimants (line 14, populated at line 45) with remainingRewards still non-zero (checked at line 53, never zeroed before the loop) and the claimants array fully populated — no state is cleared before the external calls begin at line 59.

Recommended Mitigation

Inherit ReentrancyGuard in Pot and apply the nonReentrant modifier to claimCut(), or move the state-update (playersToRewards[player] = 0) before the _transferReward call to follow the checks-effects-interactions pattern.

+ import {ReentrancyGuard} from "lib/openzeppelin-contracts/contracts/security/ReentrancyGuard.sol";
- contract Pot is Ownable(msg.sender) {
+ contract Pot is Ownable(msg.sender), ReentrancyGuard {
- function claimCut() public {
+ function claimCut() public nonReentrant {
- function closePot() external onlyOwner {
+ function closePot() external onlyOwner nonReentrant {
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!