Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Unverified Input Parameters: A Potential Cause of Winner Address Duplication


0x4ka5h

Summary

Vulnerability Details

Vulnerable code:

uint256 winnersLength = winners.length; // cache length
for (uint256 i; i < winnersLength;) {
uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;
erc20.safeTransfer(winners[i], amount);
unchecked {
++i;
}
}

patch :

mapping(address => bool) processedWinners; // Keep track of processed winners
for (uint256 i; i < winnersLength;) {
address winner = winners[i];
// Check if this winner has already been processed
if (!processedWinners[winner]) {
uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;
erc20.safeTransfer(winner, amount);
// Mark this winner as processed
processedWinners[winner] = true;
}
unchecked {
++i;
}
}

When processing a list of winners to distribute tokens, there is a potential issue stemming from unverified addresses within the winners list. The code snippet provided illustrates a scenario where the 'winners' array contains addresses of individuals intended to receive ERC20 tokens. However, the code lacks a robust mechanism to validate whether a particular address has already received tokens.
As a result, if the same winner address appears multiple times in the 'winners' array or if the array contains duplicate entries, there is a risk of unintentionally transferring tokens to the same address multiple times. This occurs because the code iterates through the array without verifying if a specific address has already been processed.

Impact

Severity : Medium

Impact: HIGH

LikelyHood: Low

Inaccurate Distribution.

Tools Used

Recommendations

Input Validation: Implement thorough map for input validation checks to ensure that winner addresses are not repeated.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.