Summary

When a contest has finished the organiser can invoke the deployProxyAndDistribute function on the ProxyFactory.sol which would deploy a new Proxy.sol contract and invoke the distribute functionality on the implementation contract with the specified winners array and percentages array which the organiser passes as params. In the distribute function a for loop is executed going through each winner, calculating the amount of the totalAmount he/she is entitled to and transfer that amount to the user.

Vulnerability Details

The problem is that if the array passed is too big the organiser risks the transaction not being executed due to out of gas error - reaching the block gas limit. In cases where a given contest attracts many participants the organiser might not be able to distribute the rewards after the contest is completed as there is also no way to split the distribution in two sequential transactions as any left-over tokens are automatically transferred to STADIUM_ADDRESS. Overall this situation breaks the main use case of the protocol - to be able to distribute rewards for a given contest atomically and in a permissionless and decentralised manner.

Impact

Inability to distribute rewards after contest has been concluded.

Tools Used

Manual Review

Recommendations

There are two possible routes to resolve this issue:

1. Consider the pull over push pattern where the distribute function actually stores the amount of rewards for each user and then each winner can withdraw their rewards.

2. Integrate a partial distribution functionality which allows the organiser to split the distribution in two or more phases in order to avoid the potential OOG problem.