Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Blocklisted accounts can DoS the distribution system

aviggiano

Summary

In Distributor._distribute, the function contains a logic to perform the distribution of whitelisted tokens. If one of these tokens contains a blocklist functionality, a single winner can DoS the distribute system.

Vulnerability Details

In Distributor.sol:147, the contract iterates over an array of winners and transfers tokens to them. If a token transfer is made to a blocked address, the logic reverts and the withdrawal process is disrupted.

This is problematic if the token contains a blocklist, such as USDC.

Impact

Denial of Service of distributions in the event where a user is blocklisted by a whitelisted token such as USDC.

Tools Used

Manual Review

Recommendations

To prevent the potential disruption and offer a robust solution to the DoS vulnerability, we propose an implementation of a 2-step withdrawal process:

In a for loop, increment the total amount that the user is allowed to safely withdraw.
Have the users themselves withdraw their balance.

This way, if a user's transfer fails, it will not affect the rest of the withdrawals.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.