#Rewards can be sent to address(0) during distribution
Summary
There is no zero address check for winners[i] in _distribute of Distributor.sol.The percentage of the reward associated with a particular winner (potentially stated as address(0) due to user mistake) can be burned.
Vulnerability Details
In the _distribute method from Distributor.sol there is a missing zero address check when performing the safeTransfer to winners[i]. As a result the reward associated with a certain winner can potentially be sent to address(0). This particular winner won't get his reward and this can lead to bad user experience. However this will not affect the fee send to the STADIUM_ADDRESS as the amount sent to the 0 address is still subtracted from the prize pool and the distribute logic is that after the transfer of tokens, balanceOf(address(this)) is what is sent to the STADIUM_ADDRESS potentially sending dust as well. The only impact here is a bad user experience.
Let's take a look at the constructor of ProxyFactory :
There is the following check
if (_whitelistedTokens[i] == address(0)) revert ProxyFactory__NoZeroAddress();
ensuring none of the tokens from the array are equal to address(0). The same type of check should be implemented for winners[i] in the _distribute method.
Impact
Bad user experience
Tools Used
Manual Review
Recommendations
In the _distribute method of Distributor.sol implement a zero address check for winners[i]. After this that part of the function will look like this:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.