Summary

This bug report highlights several potential issues and areas of improvement in the Distributor contract. The contract is intended to distribute ERC20 tokens to winners based on specified percentages, and it plays a crucial role in the token distribution process. The identified issues range from input validation to gas optimization and potential arithmetic overflow.

Vulnerability Details

Below are the specific issues found in the contract:

1 . Missing Constructor Input Checks:

• In the constructor, the contract does not use require statements to enforce the conditions that factoryAddress and stadiumAddress cannot be zero addresses.

• Without these checks, the contract could be deployed with invalid addresses, leading to unexpected behavior during token distribution.

2 . Inefficient Loop Unrolling:

• The _distribute function contains unnecessary loop unrolling using the increment operator (++i).

• Loop unrolling here provides no optimization benefits and adds unnecessary complexity to the code.

3 . Potential Overflow:

• The calculation totalAmount * percentages[i] / BASIS_POINTS in the _distribute function could lead to arithmetic overflow if totalAmount is large and percentages[i] is close to BASIS_POINTS.

4 . Lack of Validation for Percentages:

• The _distribute function does not validate whether individual percentage values in the percentages array are within the valid range (0 to 10000).

5 . Lack of Error Handling for Token Transfer:

• The _distribute function uses safeTransfer for token transfers but lacks error handling for transfer failures.
  This could lead to failed transfers going unnoticed, leaving winners without their rewards.

6 . Potential Gas Optimization:

• The _commissionTransfer function transfers the entire remaining token balance to the STADIUM_ADDRESS.
  This might consume excessive gas and result in inefficient token transfers.

Impact

The potential impact of these issues could range from incorrect token distribution to smart contract vulnerabilities that could be exploited by malicious actors. These issues might lead to unexpected behavior, incorrect distributions, loss of funds, or contract failures.

Tools Used

Manual Review

Recommendations

• Implement proper input validation checks in the constructor to prevent deployment with zero addresses.

• Remove unnecessary loop unrolling in the _distribute function for better readability.

• Implement overflow checks when performing arithmetic operations involving totalAmount and percentages.

• Validate percentage values in the percentages array to ensure they are within the valid range.

• Implement error handling for token transfers using safeTransfer to handle transfer failures gracefully.

• Optimize gas usage in the _commissionTransfer function by transferring only the required commission fee.