MyCut

AI First Flight #8

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Medium — Integer division truncation in closePot() silently destroys dust tokens with no recovery

cybervikink

Root + Impact

Description

closePot() performs two sequential integer divisions: first for the manager's cut, then for each claimant's share. Both truncate toward zero in Solidity. The combined dust — at most (claimants.length - 1) wei — is never sent to anyone and remains permanently locked. For 18-decimal tokens the loss is negligible per close, but for low-decimal tokens like USDC (6 decimals) it represents real value that compounds across many pot closures.

// Pot.sol :: closePot()

// @> First truncation

uint256 managerCut = remainingRewards / managerCutPercent;

// @> Second truncation — up to (claimants.length - 1) wei lost

uint256 claimantCut = (remainingRewards - managerCut) / claimants.length;

for (uint256 i = 0; i < claimants.length; i++) {

_transferReward(claimants[i], claimantCut);

}

// @> dust = remainingRewards - managerCut - (claimantCut * claimants.length)

// @> dust sits in the contract and can never be retrieved

Risk

Likelihood:

Integer truncation occurs on every closePot() call where remainingRewards is not perfectly divisible — this is virtually guaranteed in real-world usage.
The dust compounds: every contest deployment adds a small permanent lock to a dead Pot address.

Impact:

For 6-decimal tokens (USDC, USDT) with e.g. 13 claimants, up to 12 units of the smallest denomination are lost per close — minor individually but accumulates at scale across many contests.
There is no mechanism to recover this dust once closePot() has been called.

Proof of Concept

// remainingRewards = 1_000_001 units, claimants.length = 3

managerCut = 1_000_001 / 10 = 100_000 (dust: 1)

claimantCut = (1_000_001 - 100_000) / 3

= 900_001 / 3 = 300_000 (dust: 1)

Paid out : 100_000 + (300_000 * 3) = 1_000_000

Locked : 1_000_001 - 1_000_000 = 1 unit

Recommended Mitigation

uint256 managerCut = remainingRewards / managerCutPercent;

uint256 distributable = remainingRewards - managerCut;

uint256 claimantCut = distributable / claimants.length;

+ // Collect truncation dust and add it to the manager's cut

+ uint256 dust = distributable - (claimantCut * claimants.length);

- i_token.transfer(msg.sender, managerCut);

+ i_token.safeTransfer(msg.sender, managerCut + dust);

for (uint256 i = 0; i < claimants.length; i++) {

_transferReward(claimants[i], claimantCut);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 2 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[L-03] [H-03] Precision loss can lead to rewards getting stuck in the pot forever

### \[H-03] Precision loss can lead to rewards getting stuck in the pot forever **Description:** When contest manager closes the pot by calling `Pot::closePot`, 10 percent of the remaining rewards are transferred to the contest manager and the rest are distributed equally among the claimants. It does this by dividing the rewards by the manager's cut percentage which is 10. Then the remaining rewards are divided by the number of players to distribute equally among claimants. Since solidity allows only integer division this will lead to precision loss which will cause a portion of funds to be left in the pot forever. Each pot follows the same method, so as number of pots grow, the loss of funds is very significant. **Impact:** Reward tokens get stuck in the pot forever which causes loss of funds. **Proof of code:** Add the below test to `test/TestMyCut.t.sol` ```javascript function testPrecisionLoss() public mintAndApproveTokens { ContestManager cm = ContestManager(conMan); uint playersLength = 3; address[] memory p = new address[](playersLength); uint256[] memory r = new uint256[](playersLength); uint tr = 86; p[0] = makeAddr("_player1"); p[1] = makeAddr("_player2"); p[2] = makeAddr("_player3"); r[0] = 20; r[1] = 23; r[2] = 43; vm.startPrank(user); address pot = cm.createContest(p, r, weth, tr); cm.fundContest(0); vm.stopPrank(); console.log("\n\ntoken balance in pot before: ", weth.balanceOf(pot)); vm.prank(p[1]); // player 2 Pot(pot).claimCut(); vm.prank(p[0]); // player 1 Pot(pot).claimCut(); vm.prank(user); vm.warp(block.timestamp + 90 days + 1); cm.closeContest(pot); console.log( "\n\ntoken balance in pot after closing pot: ", weth.balanceOf(pot) ); assert(weth.balanceOf(pot) != 0); } ``` Run the below test command in terminal ```Solidity forge test --mt testPrecisionLoss -vv ``` Which results in the below output ```Solidity [⠒] Compiling... [⠆] Compiling 1 files with 0.8.20 [⠰] Solc 0.8.20 finished in 2.57s Compiler run successful! Ran 1 test for test/TestMyCut.t.sol:TestMyCut [PASS] testPrecisionLoss() (gas: 936926) Logs: token balance in pot before: 86 token balance in pot after closing pot: 1 Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.75ms (654.60µs CPU time) Ran 1 test suite in 261.16ms (1.75ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` If you observe the output you can see the pot still has rewards despite distributing them to claimants. **Recommended Mitigations:** Fixed-Point Arithmetic: Utilize a fixed-point arithmetic library or implement a custom solution to handle fee calculations with greater precision.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!