Transfer blacklisting could block distribution
Summary
Whenever the organiser decides to distribute the rewards for a given contest he/she needs to call deployProxyAndDistribute function on the ProxyFactory.sol contract. This function deploys a new Proxy.sol contract and makes a call to it, which is forwarded via delegateCall to the implementation contract i.e. Distributor.sol. In the implementation the rewards are transferred in a for loop to each winner based on the percentage passed by the organiser.
I am considering the issue Low since there are multiple ways to go around that particular edge case even with the current architecture, however all those ways introduce additional risks for potential mistakes and makes the process tiresome:
The organiser could execute the distribution without the blacklisted user, however he either has to calculate and split the percentage of the blacklisted user amongst all other users accordingly or the STADIUM_ADDRESS should return those funds to the organiser.
The owner could take out any stuck funds if necessary and the whole process will have to be re-done in order to properly execute the distribution flow.
Vulnerability Details
As the protocol intends to use tokens that have a built-in blacklisting functionality such as USDC, there is a chance that a blacklisted user is amongst the winners, which would cause the whole distribution flow to revert as the transfer to that specific user will fail.
Impact
Temporary DoS of rewards distribution and bad UX.
Tools Used
Manual Review
Recommendations
The best way to solve this potential edge case is by adopting the pull over push pattern which is suggested in general. Instead of transferring the funds directly to each winner, you can store the amount to be paid for each winner in a mapping during the distribute function call such as:
mapping(address=>uint256) public userToWinnings
However this would require a bit of a re-design of the overall protocol as the current Proxy => Implementation pattern would not work unless a new Implementation is deployed together with each proxy.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.