msg.sender in closePot Routes Manager Cut to ContestManager → Permanent Fund Lock
Description
When a contest ends, the owner calls ContestManager.closeContest(), which internally calls pot.closePot(). The Pot is deployed by ContestManager via new
Pot(...) — because of the Ownable(msg.sender) constructor, Pot.owner() becomes address(ContestManager), not the human EOA.Inside closePot, the 10% manager cut is transferred to msg.sender. When called through ContestManager._closeContest(), msg.sender inside closePot is
address(ContestManager), not the protocol owner's wallet. ContestManager has no ERC20 withdrawal or rescue function, so every manager cut from every contest is
permanently trapped inside the contract with no recovery path.
// ContestManager.sol
function _closeContest(address contest) internal {
Pot pot = Pot(contest);
// @> msg.sender inside closePot will be address(ContestManager)
pot.closePot();
}
// Pot.sol
contract Pot is Ownable(msg.sender) { // @> owner = address(ContestManager) at deploy time
function closePot() external onlyOwner {
if (remainingRewards > 0) {
uint256 managerCut = remainingRewards / managerCutPercent;
// @> msg.sender = address(ContestManager), NOT the human owner EOA
// @> ContestManager has no token rescue function → locked forever
i_token.transfer(msg.sender, managerCut);
}
}
}
Risk
Likelihood:
Every closeContest call unconditionally routes the manager cut to the ContestManager contract address — there is no alternative code path
Occurs on every single contest closure regardless of token, amount, or timing
Impact:
The protocol owner permanently loses 10% fee revenue from every contest they close
Tokens accumulate in ContestManager indefinitely with no mechanism to recover them
Proof of Concept
function testOwnerCutStuckInContestManager() public mintAndApproveTokens {
vm.startPrank(user);
contest = ContestManager(conMan).createContest(
players, rewards, IERC20(ERC20Mock(weth)), 100
);
ContestManager(conMan).fundContest(0);
vm.stopPrank();
vm.warp(block.timestamp + 91 days);
uint256 conManBalanceBefore = ERC20Mock(weth).balanceOf(conMan);
uint256 ownerBalanceBefore = ERC20Mock(weth).balanceOf(user);
vm.prank(user);
ContestManager(conMan).closeContest(contest);
// Manager cut (10 tokens) went to ContestManager, not the owner
assertGt(ERC20Mock(weth).balanceOf(conMan), conManBalanceBefore);
assertEq(ERC20Mock(weth).balanceOf(user), ownerBalanceBefore); // owner got nothing
}
Recommended Mitigation
// Pot.sol — pass the intended recipient explicitly
function closePot() external onlyOwner {
function closePot(address manager) external onlyOwner {
if (block.timestamp - i_deployedAt < 90 days) {
revert Pot__StillOpenForClaim();
}
if (remainingRewards > 0) {
uint256 managerCut = remainingRewards / managerCutPercent;
-
i_token.transfer(msg.sender, managerCut);
-
i_token.transfer(manager, managerCut); // ... }}
// ContestManager.sol — forward the actual human owner address
function _closeContest(address contest) internal {
Pot pot = Pot(contest);
-
pot.closePot();
-
pot.closePot(owner());}
Lead Judging Commences
[H-01] Owner Cut Stuck in `ContestManager`
## Description When `closeContest` function in the `ContestManager` contract is called, `pot` sends the owner's cut to the `ContestManager` itself, with no mechanism to withdraw these funds. ## Vulnerability Details: Relevant code - [Pot](https://github.com/Cyfrin/2024-08-MyCut/blob/main/src/Pot.sol#L7) [ContestManager](https://github.com/Cyfrin/2024-08-MyCut/blob/main/src/ContestManager.sol#L16-L26) The vulnerability stems from current ownership implementation between the `Pot` and `ContestManager` contracts, leading to funds being irretrievably locked in the `ContestManager` contract. 1. **Ownership Assignment**: When a `Pot` contract is created, it assigns `msg.sender` as its owner: ```solidity contract Pot is Ownable(msg.sender) { ... } ``` 2. **Contract Creation Context**: The `ContestManager` contract creates new `Pot` instances through its `createContest` function: ```solidity function createContest(...) public onlyOwner returns (address) { Pot pot = new Pot(players, rewards, token, totalRewards); ... } ``` In this context, `msg.sender` for the new `Pot` is the `ContestManager` contract itself, not the external owner who called `createContest`. 3. **Unintended Ownership**: As a result, the `ContestManager` becomes the owner of each `Pot` contract it creates, rather than the intended external owner. 4. **Fund Lock-up**: When `closeContest` is called (after the 90-day contest period), it triggers the `closePot` function: ```solidity function closeContest(address contest) public onlyOwner { Pot(contest).closePot(); } ``` The `closePot` function sends the owner's cut to its caller. Since the caller is `ContestManager`, these funds are sent to and locked within the `ContestManager` contract. 5. **Lack of Withdrawal Mechanism**: The `ContestManager` contract does not include any functionality to withdraw or redistribute these locked funds, rendering them permanently inaccessible. This ownership misalignment and the absence of a fund recovery mechanism result in a critical vulnerability where contest rewards become permanently trapped in the `ContestManager` contract. ## POC In existing test suite, add following test ```solidity function testOwnerCutStuckInContestManager() public mintAndApproveTokens { vm.startPrank(user); contest = ContestManager(conMan).createContest( players, rewards, IERC20(ERC20Mock(weth)), 100 ); ContestManager(conMan).fundContest(0); vm.stopPrank(); // Fast forward 91 days vm.warp(block.timestamp + 91 days); uint256 conManBalanceBefore = ERC20Mock(weth).balanceOf(conMan); console.log("contest manager balance before:", conManBalanceBefore); vm.prank(user); ContestManager(conMan).closeContest(contest); uint256 conManBalanceAfter = ERC20Mock(weth).balanceOf(conMan); // Assert that the ContestManager balance has increased (owner cut is stuck) assertGt(conManBalanceAfter, conManBalanceBefore); console.log("contest manager balance after:", conManBalanceAfter); } ``` run `forge test --mt testOwnerCutStuckInContestManager -vv` in the terminal and it will return following output: ```js [⠊] Compiling... [⠑] Compiling 1 files with Solc 0.8.20 [⠘] Solc 0.8.20 finished in 1.66s Compiler run successful! Ran 1 test for test/TestMyCut.t.sol:TestMyCut [PASS] testOwnerCutStuckInContestManager() (gas: 810988) Logs: User Address: 0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D Contest Manager Address 1: 0x7BD1119CEC127eeCDBa5DCA7d1Bd59986f6d7353 Minting tokens to: 0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D Approved tokens to: 0x7BD1119CEC127eeCDBa5DCA7d1Bd59986f6d7353 contest manager balance before: 0 contest manager balance after: 10 Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 10.51ms (1.31ms CPU time) ``` ## Impact Loss of funds for the protocol / owner ## Recommendations Add a claimERC20 function `ContestManager` to solve this issue. ```solidity function claimStuckedERC20(address tkn, address to, uint256 amount) external onlyOwner { // bytes4(keccak256(bytes('transfer(address,uint256)'))); (bool success, bytes memory data) = tkn.call(abi.encodeWithSelector(0xa9059cbb, to, amount)); require( success && (data.length == 0 || abi.decode(data, (bool))), 'ContestManager::safeTransfer: transfer failed' ); ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.