Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

One of the winner can be a blacklisted address

pyro

Summary

One of the winner can select a for a blacklisted address to receive the funds. This will block the whole transaction and revert it.

Vulnerability Details

Due to users not being registered within the contract and the owner inputting addresses, a potential issue arises. If any user submits a blacklisted USDC address to receive funds, the entire transaction would fail. Consequently, this would obstruct other users from receiving their designated funds. On top of that this user cannot be excluded from the rewards, as the given BPS must match 100%.

if (totalPercentage != (10000 - COMMISSION_FEE)) {

revert Distributor__MismatchedPercentages();

}

Impact

User loss of funds.

Tools Used

Manual review

Recommendations

Use pull instead of push. Make the users claim their rewards.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.