Distribute token push to winners will fail for all if one can not receive
Summary
The distribute() function will fail to push tokens for all the winners if one winner cannot receive the tokens.
Vulnerability Details
The function safeTransfer() could fail under the following scenarios:
A token with a callback is used, for example an ERC777 token, and the callback is not implemented correctly or fails on purpose.
A token with a blacklist option is used and one winner is blacklisted. For example USDC has such blacklist
functionality. Because the winner can be an unknown party, a small risk exist that he is malicious and his
address could be blacklisted in USDC.
Impact
Except for the loss of gas fees, there is no permanent impact, the transaction can be retried with the failing winner removed from the list.
There could exist a scenario where, depending on the rules of the contest, one party could introduce many winners to the list which are unable to receive the tokens. This could be used to trick failure on multiple transactions, unless the organizer simulates the transaction and adjusts the list of winners, until a valid transaction is found.
Tools Used
Manual code review
Recommendations
It is recommended to use a PULL pattern for token distribution instead of a PUSH pattern.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.