MyCut
AI First Flight #8
Beginner FriendlyFoundry
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

closePot divides claimantCut by total players — up to 90% of rewards locked

r0p

Title: closePot divides claimantCut by total players — up to 90% of rewards locked
Impact: High. Remaining rewards after manager cut are permanently locked when not all players claim.
Likelihood: High. Affects every closePot execution with fewer claimants than total players.
Reference Files: repos/src/Pot.sol:49-62

Description

closePot() distributes remaining rewards after the 90-day claim window. The manager receives 10% and the remainder is split among players who claimed. However, claimantCut is computed by dividing by i_players.length (all players), but the distribution loop only iterates over claimants.length (players who actually claimed). The gap (i_players.length - claimants.length) × claimantCut represents tokens computed but never transferred — permanently locked in the Pot with no withdrawal mechanism.

uint256 managerCut = remainingRewards / managerCutPercent;
i_token.transfer(msg.sender, managerCut);
uint256 claimantCut = (remainingRewards - managerCut) / i_players.length; // divides by ALL
for (uint256 i = 0; i < claimants.length; i++) { // loops CLAIMANTS only
_transferReward(claimants[i], claimantCut);
}
// (i_players.length - claimants.length) × claimantCut = locked forever

The remainingRewards state variable is never decremented inside closePot(), so getRemainingRewards() continues reporting a stale value — but no recovery is possible because the actual token balance is insufficient after distribution.

Risk

Impact: High. With 5 players and only 2 claiming: 34% of the remaining pool is locked. With 0 claimants: only the manager's 10% cut is distributed — 90% stays trapped. No withdrawal function exists on the Pot contract to recover locked tokens.
Likelihood: High. The bug triggers on every closePot call where claimants.length < i_players.length. In normal operation, not all authorized players claim within 90 days — this affects essentially every contest.
Over 100 contests with 50% average claim rate and 1,000-token pools, approximately 34,000 tokens are permanently locked across the protocol.

Proof of Concept

function testLockedFundsOnClose() public {
address[] memory players = new address[](5);
for (uint256 i = 0; i < 5; i++) players[i] = makeAddr(string(abi.encodePacked("p", i)));
uint256[] memory rewards = [uint256(20), 20, 20, 20, 20];
vm.startPrank(owner);
address pot = contestManager.createContest(players, rewards, token, 100);
contestManager.fundContest(0);
vm.stopPrank();
vm.prank(players[0]); Pot(pot).claimCut();
vm.prank(players[1]); Pot(pot).claimCut();
vm.warp(91 days);
vm.prank(owner); contestManager.closeContest(pot);
assertGt(token.balanceOf(pot), 0); // ~34 tokens permanently trapped
}

Two of five players claim, closePot executes, and 34 tokens remain locked in the contract with no recovery.

Recommended Mitigation

uint256 managerCut = remainingRewards / managerCutPercent;
uint256 claimantPool = remainingRewards - managerCut;
uint256 claimantCut = claimants.length > 0 ? claimantPool / claimants.length : 0;
i_token.transfer(ContestManager(msg.sender).owner(), managerCut);
for (uint256 i = 0; i < claimants.length; i++) {
_transferReward(claimants[i], claimantCut);
}
remainingRewards = 0;

Divide by claimants.length to distribute the full pool among actual claimants, reset remainingRewards, and route the manager cut to the EOA owner.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 1 day ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-02] Incorrect logic in `Pot::closePot` leads to unfair distribution to `claimants`, potentially locking the funds with no way to take that out

## Description in `closePot` function while calclulating the shares for claimaint cut, `i_players.length` is used, instead of `claimants.length`, causing low amount being distributed to claimants. ## Vulnerability Details [2024-08-MyCut/src/Pot.sol at main · Cyfrin/2024-08-MyCut (github.com)](https://github.com/Cyfrin/2024-08-MyCut/blob/main/src/Pot.sol#L57) `Pot::closePot` function is meant to be called once contest passed 90 days, it sends the owner cut to owner and rest is splitted among the users who claimed b/w 90 days period. However, current implementation is wrong.&#x20; It uses total users (i_players.length) instead of the users (claimants.length) who claimed during the duration. This creates an unfair distribution to the participants and some of the funds could be locked in the contract. In worst case scenerio, it could be 90% if nobody has claimed from the protocol during the 90 days duration. ## POC In existing test suite, add following test: ```solidity function testUnfairDistributionInClosePot() public mintAndApproveTokens { // Setup address[] memory testPlayers = new address[](3); testPlayers[0] = makeAddr("player1"); testPlayers[1] = makeAddr("player2"); testPlayers[2] = makeAddr("player3"); uint256[] memory testRewards = new uint256[](3); testRewards[0] = 400; testRewards[1] = 300; testRewards[2] = 300; uint256 testTotalRewards = 1000; // Create and fund the contest vm.startPrank(user); address testContest = ContestManager(conMan).createContest( testPlayers, testRewards, IERC20(ERC20Mock(weth)), testTotalRewards ); ContestManager(conMan).fundContest(0); vm.stopPrank(); // Only player1 claims their reward vm.prank(testPlayers[0]); Pot(testContest).claimCut(); // Fast forward 91 days vm.warp(block.timestamp + 91 days); // Record balances before closing the pot uint256 player1BalanceBefore = ERC20Mock(weth).balanceOf( testPlayers[0] ); // Close the contest vm.prank(user); ContestManager(conMan).closeContest(testContest); // Check balances after closing the pot uint256 player1BalanceAfter = ERC20Mock(weth).balanceOf(testPlayers[0]); // Calculate expected distributions uint256 remainingRewards = 600; // 300 + 300 unclaimed rewards uint256 ownerCut = remainingRewards / 10; // 10% of remaining rewards uint256 distributionPerPlayer = (remainingRewards - ownerCut) / 1; // as only 1 user claimed uint256 fundStucked = ERC20Mock(weth).balanceOf(address(testContest)); // actual results console.log("expected reward:", distributionPerPlayer); console.log( "actual reward:", player1BalanceAfter - player1BalanceBefore ); console.log("Fund stucked:", fundStucked); } ``` then run `forge test --mt testUnfairDistributionInClosePot -vv` in the terminal and it will show following output: ```js [⠊] Compiling... [⠒] Compiling 1 files with Solc 0.8.20 [⠘] Solc 0.8.20 finished in 1.63s Compiler run successful! Ran 1 test for test/TestMyCut.t.sol:TestMyCut [PASS] testUnfairDistributionInClosePot() (gas: 905951) Logs: User Address: 0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D Contest Manager Address 1: 0x7BD1119CEC127eeCDBa5DCA7d1Bd59986f6d7353 Minting tokens to: 0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D Approved tokens to: 0x7BD1119CEC127eeCDBa5DCA7d1Bd59986f6d7353 expected reward: 540 actual reward: 180 Fund stucked: 360 Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.58ms (506.33µs CPU time) ``` ## Impact Loss of funds, Unfair distribution b/w users ## Recommendations Fix the functions as shown below: ```diff function closePot() external onlyOwner { if (block.timestamp - i_deployedAt < 90 days) { revert Pot__StillOpenForClaim(); } if (remainingRewards > 0) { uint256 managerCut = remainingRewards / managerCutPercent; i_token.transfer(msg.sender, managerCut); - uint256 claimantCut = (remainingRewards - managerCut) / i_players.length; + uint256 totalClaimants = claimants.length; + if(totalClaimant == 0){ + _transferReward(msg.sender, remainingRewards - managerCut); + } else { + uint256 claimantCut = (remainingRewards - managerCut) / claimants.length; for (uint256 i = 0; i < claimants.length; i++) { _transferReward(claimants[i], claimantCut); } } + } } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!