Unexpected Tokens & Unsafe Math
Summary
depending on the balance of the smart contract to distribute rewards can result in undesired behavior if tokens are unexpectedly sent to the smart contract.
Vulnerability Details
On line 139 of Distributor.sol, the _distribute function uses the current balance of the contract to determine the total amount to distribute.
uint256 totalAmount = erc20.balanceOf(address(this));
However, if there are unexpected erc20 tokens sent to the contract, the behavior can be undesirable and unexpected as the balance of the contract is greater than anticipated.
Additionally, the SafeMath library should be used for any uint256 calculations to prevent overflows.
In line 146, the following calculation uint256 amount = totalAmount * percentages[i] / BASIS_POINTS; can result in an integer overflow especially when combined with unexpected tokens in the smart contract.
Impact
Unexpected (and/or incorrect) payment to winners
Tools Used
VS Code
Recommendations
-
Use the SafeMath library from Openzeppelin
Consider adding the following line in your smart contract
using SafeMath for uint256 -
If applying logic based on this.balance, you have to anticipate unexpected balances.
Use a self-defined variable to store the total balance expected to safely track deposited erc20 tokens.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.