If an ERC20 has a blocklist and at least one winner is blocked, whole _distribute call will revert
Summary
Distributor.sol description gives a list of ERC20 that will be used as reward tokens for contests. But some of these ERC20 in the list integrate a mechanism of blocklist.
Vulnerability Details
If an address is blocked, then transfers to and from that address are forbidden.
This will result in whole _distribute(...) call reverting because of one blocklisted address, which will cause unnecessary gas consumption, and will force organizer to make the choice :
Recalculate the price distribution by removing the blocked winner from the array
Retrieve the funds (possible to do that by distributing the whole prize to the Sponsor), in order to send another ERC20 and make the distribution happen as expected.
Impact
Case (1) ==> This choice will injure the withdrawn winner who spent time working on a solution for nothing.
Case (2) ==> This will incur a cost though, in term of gas, but also because of the commission transfer to the stadium address.
Tools Used
Manual review
Recommendations
Tokens with blocklist should be avoided.
Another solution would be to wrap the erc20.safeTransfer call inside a try/catch block, and send the blocked reward to an address that will be able to compensate the blocked winner with his due reward
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.