Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

blocklisted winner could block/denied reward distribution

kodyvim

Summary

A winner blacklisted by reward token could either block rewards distribution or denied receiving their rewards.

Vulnerability Details

Distributor._distribute() loops through array of winners[] to distribute JPYC to winners. but tokens like USDC/USDT have a blacklist that could block the winner from sending or receiving tokens. if any of the winner happens to be blacklisted this could block reward distribution, or user would be unable to receive their reward if they are excluded from the array and percentage recalculated.
https://github.com/Cyfrin/2023-08-sparkn/blob/main/src/Distributor.sol#L147

function _distribute(address token, address[] memory winners, uint256[] memory percentages, bytes memory data)
internal
{
...SNIP
uint256 winnersLength = winners.length; // cache length
for (uint256 i; i < winnersLength;) {
uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;
erc20.safeTransfer(winners[i], amount);//@audit if a winner is blocklisted the whole transaction would fail.
unchecked {
++i;
}
}
...SNIP
}

Impact

blocklisted winner could block/denied reward distribution

Tools Used

Manual Review

Recommendations

Use pull over push in reward distribution.
distribute_ could store rewards for winners in a mapping, then create a function for winners to claim their rewards to arbitrary address and reset the mapping afterwards.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.