Submission Details
Severity:
Missing zero address check for the winners in Distributor.sol
Summary
Possibility of passing an array of winners which contains an element of address(0), as an argument to distribute function in the implementation contract.
Vulnerability Details
src/Distibutor.sol
uint256 winnersLength = winners.length; // cache length
for (uint256 i; i < winnersLength;) {
uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;
erc20.safeTransfer(winners[i], amount);
unchecked {
++i;
}
}
Impact
Given the fact that distribute is called through the proxy and the arguments are passed as array of bytes, the ability to pass an array where one or more of the addresses is equal to address(0) and send the rewards of the owner and organizer to the address(0) , the vulnerability is decent.
If that happens there will be big loss of trust in the protocol from all of the users.
Tools Used
Manual
Recommendations
uint256 winnersLength = winners.length; // cache length
for (uint256 i; i < winnersLength;) {
+ require(winners[i] != address(0));
uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;
erc20.safeTransfer(winners[i], amount);
unchecked {
++i;
}
}
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
19477 USDC / LOC
14,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.