Sparkn

Summary

In the case a winner's wallet is blacklisted by a Stablecoin or ERC20 token prior to winning in a contest, the transaction that should distribute their reward will fail; hence leaving them out of the reward pool and their funds not being dispersed.

Vulnerability Details

This issue can be seen in the _distribute function of the Distributor.sol contract from lines 116-156 not considering an instance where one of the winners' address is blacklisted by the reward token which essentially prevents them from being rewarded and rendering a fix for such a scenario.

    uint256 winnersLength = winners.length; // cache lengt
    for (uint256 i; i < winnersLength;) {
       // @audit handle case for user's address blacklisted by reward token
        uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;
        erc20.safeTransfer(winners[i], amount);
        unchecked {
            ++i;
        }
    }

Impact

This will appear to be a dishonest and insincere scenario(s) because the winners will prolly be alerted they were part of the winners but won't receive any reward whatsoever thereby being portraying the protocol a bad image.

Tools Used

Manual Review / VSCode

Recommendations

Plug in checks for cases where winner(s) from the list of addresses is blacklisted > handle cases for blacklisted addresses (e.g save them, skip them, keep their rewards for a later date, multiple ways to handle their distribution) > proceed to distribute rewards to non affected/non-blacklisted winner addresses.