Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Unverified Input Parameters: A Potential Cause of Winner Address Duplication


0x4ka5h

Summary

Vulnerability Details

Vulnerable code:

uint256 winnersLength = winners.length; // cache length
for (uint256 i; i < winnersLength;) {
uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;
erc20.safeTransfer(winners[i], amount);
unchecked {
++i;
}
}

patch :

mapping(address => bool) processedWinners; // Keep track of processed winners
for (uint256 i; i < winnersLength;) {
address winner = winners[i];
// Check if this winner has already been processed
if (!processedWinners[winner]) {
uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;
erc20.safeTransfer(winner, amount);
// Mark this winner as processed
processedWinners[winner] = true;
}
unchecked {
++i;
}
}

When processing a list of winners to distribute tokens, there is a potential issue stemming from unverified addresses within the winners list. The code snippet provided illustrates a scenario where the 'winners' array contains addresses of individuals intended to receive ERC20 tokens. However, the code lacks a robust mechanism to validate whether a particular address has already received tokens.
As a result, if the same winner address appears multiple times in the 'winners' array or if the array contains duplicate entries, there is a risk of unintentionally transferring tokens to the same address multiple times. This occurs because the code iterates through the array without verifying if a specific address has already been processed.

Impact

Severity : Medium

Impact: HIGH

LikelyHood: Low

Inaccurate Distribution.

Tools Used

Recommendations

Input Validation: Implement thorough map for input validation checks to ensure that winner addresses are not repeated.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!