Potential Denial-of-Service (DoS) due to zero token transfer
Summary
The Distributor contract doesn't check for zero amount while distributing rewards, which can end up blocking the operation.
Vulnerability Details
In the _distribute(), there is a loop(https://github.com/Cyfrin/2023-08-sparkn/blob/main/src/Distributor.sol#L145-L151) that iterates over an array of winners to transfer token amounts to their addresses based on the specified percentages. However, the code does not include a check to ensure that the transferred token amount is not zero before initiating the transfer.
This is a bit concerning as some ERC20 implementations revert on zero value transfers see. If at least one of the reward tokens includes this behavior, then the current implementation may cause a denial of service, as a zero amount transfer in this token will block the whole action and revert the transaction.
Impact
This vulnerability could be exploited by an attacker to intentionally supply zero values as percentages for multiple winners. As a result, the transferred token amounts would be zero, causing a potentially large number of zero-token transfers, which could lead to a DoS situation. Repeatedly executing zero-token transfers could block the contract's processing, potentially resulting in the contract becoming unresponsive to legitimate transactions and causing disruption to the functionality of the contract.
Tools Used
Manual Review
Recommendations
Check for zero amount before executing the transfer:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.