Lack of address validation leads to Denial of Service (DoS)
Summary
The Distributor contract does not validate the addresses in the winners[] before processing. This omission allows an attacker to exploit the contract by providing invalid addresses, causing the operation to become blocked indefinitely.
Vulnerability Details
In the _distribute()the contract directly transfers tokens to the addresses provided in the winners array without checking their validity if it is non zero or not. As a result, an attacker can supply invalid addresses, causing the contract to repeatedly fail when trying to transfer tokens to these addresses. This leads to an infinite loop that blocks the contract's operation and prevents it from functioning correctly.
Impact
This can be exploited by malicious actors to initiate a DoS attack, rendering the Distributor contract unresponsive and non-functional. The contract would remain stuck in an infinite loop, failing to execute token transfers and affecting its intended distribution mechanism.
Tools Used
Recommendations
To mitigate this issue, implement proper address validation checks before processing any operations that involve token transfers. This includes verifying that the addresses provided in the winners array are valid and non-zero.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.