Sparkn

Summary

Change in BASIS_POINTS will make the protocol's distribute functionality to not work as expected due to hardcoded 10000 value in Distributor._distribute function.

Vulnerability Details

https://github.com/Cyfrin/2023-08-sparkn/blob/47c22b818818af4ea7388118dd83fa308ad67b83/src/Distributor.sol#L135

As we can see there is a use of a constant value 10000 instead of using BASIS_POINTS here to make sure totalPercentage == 95% (COMMISSION_FEE=5%)

https://github.com/Cyfrin/2023-08-sparkn/blob/47c22b818818af4ea7388118dd83fa308ad67b83/src/Distributor.sol#L145-L147

Here its using BASIS_POINTS in calculation of amount of tokens to send to winners based on their percentage.

Since, its using constant value 10000 and immutable variable BASIS_POINTS which might changed during deployment and when BASIS_POINTS != 10000, it will affect protocol's distribute functionality to not work as expected.

There are two possibilities:

1. BASIS_POINTS > 10000:
   Since totalPercentage is still in a basis points of 10000 due to hardcoding, It will send few tokens to all winners as their share got deflated due to BASIS_POINTS > 10000. And then it will send all the remaining tokens as commission fee to STADIUM_ADDRESS.

2. BASIS_POINTS < 10000:
   Since totalPercentage is still in a basis points of 10000 due to hardcoding, It will try to send more tokens to first few winners as their share got inflated due to BASIS_POINTS < 10000 and then it might start reverting as their is no tokens left to send to remaining winners.

Impact

Change in BASIS_POINTS will make the protocol's distribute functionality to not work as expected.

Tools Used

Manual Review

Recommendations

We recommend to change hardcoded value of 10000 at https://github.com/Cyfrin/2023-08-sparkn/blob/47c22b818818af4ea7388118dd83fa308ad67b83/src/Distributor.sol#L135 to BASIS_POINTS like

From

To