MyCut
AI First Flight #8
Beginner FriendlyFoundry
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

[H-2] Manager cut is locked in `ContestManager`

s4m0y3d

Root + Impact

Description

  • Pot::closePot pays the manager cut to msg.sender. A Pot is owned by the ContestManager contract (it is created via new Pot(...)), and closePot is onlyOwner, so it can only be reached through ContestManager::closeContest. Consequently msg.sender inside closePot is always the ContestManager contract, not the human manager. ContestManager has no function to transfer ERC20 tokens out, so every manager cut is stranded in it forever.

// Pot.sol
function closePot() external onlyOwner { // owner == ContestManager contract
...
uint256 managerCut = remainingRewards / managerCutPercent;
i_token.transfer(msg.sender, managerCut); // msg.sender == ContestManager
...
}
// ContestManager.sol — the only path that reaches closePot
function closeContest(address contest) public onlyOwner {
_closeContest(contest);
}
function _closeContest(address contest) internal {
Pot pot = Pot(contest);
pot.closePot(); // ContestManager is the caller -> msg.sender in Pot
}

Risk

Likelihood:

  • High (every close routes through ContestManager).

Impact:

  • High (permanent fund lock on every close).

Proof of Concept

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;
import {Test, console} from "lib/forge-std/src/Test.sol";
import {ContestManager} from "../src/ContestManager.sol";
import {Pot} from "../src/Pot.sol";
import {IERC20} from "lib/openzeppelin-contracts/contracts/token/ERC20/ERC20.sol";
import {ERC20Mock} from "./ERC20Mock.sol";
// H-2: Pot.closePot sends the manager cut to msg.sender. But a Pot is owned by
// the ContestManager contract (it is created with `new Pot(...)`), and closePot
// is only reachable via ContestManager.closeContest. So msg.sender is the
// ContestManager *contract*, which has no function to move ERC20 out -> the
// manager cut is permanently locked in ContestManager, never reaching the
// human owner.
contract PoC_ManagerCutLocked is Test {
ContestManager conMan;
ERC20Mock weth;
address user = makeAddr("user"); // human owner / intended cut recipient
address player1 = makeAddr("player1");
address player2 = makeAddr("player2");
address[] players = [player1, player2];
uint256[] rewards = [500, 500];
uint256 totalRewards = 1000;
address contest;
function setUp() public {
vm.startPrank(user);
conMan = new ContestManager();
weth = new ERC20Mock("WETH", "WETH", user, 0);
weth.mint(user, 1000 ether);
weth.approve(address(conMan), type(uint256).max);
contest = conMan.createContest(players, rewards, IERC20(weth), totalRewards);
conMan.fundContest(0);
vm.stopPrank();
}
function test_manager_cut_is_locked_in_ContestManager() public {
vm.warp(91 days); // nobody claims -> remaining = 1000, managerCut = 100
uint256 ownerBefore = weth.balanceOf(user);
vm.prank(user);
conMan.closeContest(contest);
// The human owner received nothing...
assertEq(weth.balanceOf(user), ownerBefore, "human owner got 0 of the manager cut");
// ...the 100-token cut is stranded in the ContestManager contract,
// which has no withdraw/sweep function.
assertEq(weth.balanceOf(address(conMan)), 100, "manager cut locked in ContestManager");
console.log("Cut stuck in ContestManager:", weth.balanceOf(address(conMan)));
}
}

Recommended Mitigation

- i_token.transfer(msg.sender, managerCut);
+ i_token.transfer(owner(), managerCut); // owner() of the Pot is the ContestManager; instead pass the human manager
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 7 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] Owner Cut Stuck in `ContestManager`

## Description When `closeContest` function in the `ContestManager` contract is called, `pot` sends the owner's cut to the `ContestManager` itself, with no mechanism to withdraw these funds. ## Vulnerability Details: Relevant code - [Pot](https://github.com/Cyfrin/2024-08-MyCut/blob/main/src/Pot.sol#L7) [ContestManager](https://github.com/Cyfrin/2024-08-MyCut/blob/main/src/ContestManager.sol#L16-L26) The vulnerability stems from current ownership implementation between the `Pot` and `ContestManager` contracts, leading to funds being irretrievably locked in the `ContestManager` contract. 1. **Ownership Assignment**: When a `Pot` contract is created, it assigns `msg.sender` as its owner: ```solidity contract Pot is Ownable(msg.sender) { ... } ``` 2. **Contract Creation Context**: The `ContestManager` contract creates new `Pot` instances through its `createContest` function: ```solidity function createContest(...) public onlyOwner returns (address) { Pot pot = new Pot(players, rewards, token, totalRewards); ... } ``` In this context, `msg.sender` for the new `Pot` is the `ContestManager` contract itself, not the external owner who called `createContest`. 3. **Unintended Ownership**: As a result, the `ContestManager` becomes the owner of each `Pot` contract it creates, rather than the intended external owner. 4. **Fund Lock-up**: When `closeContest` is called (after the 90-day contest period), it triggers the `closePot` function: ```solidity function closeContest(address contest) public onlyOwner { Pot(contest).closePot(); } ``` The `closePot` function sends the owner's cut to its caller. Since the caller is `ContestManager`, these funds are sent to and locked within the `ContestManager` contract. 5. **Lack of Withdrawal Mechanism**: The `ContestManager` contract does not include any functionality to withdraw or redistribute these locked funds, rendering them permanently inaccessible. This ownership misalignment and the absence of a fund recovery mechanism result in a critical vulnerability where contest rewards become permanently trapped in the `ContestManager` contract. ## POC In existing test suite, add following test ```solidity function testOwnerCutStuckInContestManager() public mintAndApproveTokens { vm.startPrank(user); contest = ContestManager(conMan).createContest( players, rewards, IERC20(ERC20Mock(weth)), 100 ); ContestManager(conMan).fundContest(0); vm.stopPrank(); // Fast forward 91 days vm.warp(block.timestamp + 91 days); uint256 conManBalanceBefore = ERC20Mock(weth).balanceOf(conMan); console.log("contest manager balance before:", conManBalanceBefore); vm.prank(user); ContestManager(conMan).closeContest(contest); uint256 conManBalanceAfter = ERC20Mock(weth).balanceOf(conMan); // Assert that the ContestManager balance has increased (owner cut is stuck) assertGt(conManBalanceAfter, conManBalanceBefore); console.log("contest manager balance after:", conManBalanceAfter); } ``` run `forge test --mt testOwnerCutStuckInContestManager -vv` in the terminal and it will return following output: ```js [⠊] Compiling... [⠑] Compiling 1 files with Solc 0.8.20 [⠘] Solc 0.8.20 finished in 1.66s Compiler run successful! Ran 1 test for test/TestMyCut.t.sol:TestMyCut [PASS] testOwnerCutStuckInContestManager() (gas: 810988) Logs: User Address: 0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D Contest Manager Address 1: 0x7BD1119CEC127eeCDBa5DCA7d1Bd59986f6d7353 Minting tokens to: 0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D Approved tokens to: 0x7BD1119CEC127eeCDBa5DCA7d1Bd59986f6d7353 contest manager balance before: 0 contest manager balance after: 10 Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 10.51ms (1.31ms CPU time) ``` ## Impact Loss of funds for the protocol / owner ## Recommendations Add a claimERC20 function `ContestManager` to solve this issue. ```solidity function claimStuckedERC20(address tkn, address to, uint256 amount) external onlyOwner { // bytes4(keccak256(bytes('transfer(address,uint256)'))); (bool success, bytes memory data) = tkn.call(abi.encodeWithSelector(0xa9059cbb, to, amount)); require( success && (data.length == 0 || abi.decode(data, (bool))), 'ContestManager::safeTransfer: transfer failed' ); ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!