Sparkn

Summary

Using 10000 for BASIS_POINTS is not precise enough for the protocol use case.

Vulnerability Details

The Distributor contract is intended to be used to distribute its own balance (i.e. prize pool) to recipients. The admin is expected to supply the list of winners, along with their percentage share of the prize pool. The contract will then distribute the prize to the recipients.

However, the percentage basis point is defined to be 10000, meaning the smallest possible prize pool denomination is 0.01%. We argue that this is not precise enough.

• Audit contests (e.g. in Code4rena, Sherlock, Codehawks) have prize pools to tens of thousands of USD worth. A standard contest is usually 50,000 USDC in prize. With 10000 as the basis points, winners can only be denominated to $5 of winnings only.

• SPARKN contest itself has a prize pool of $15,000. If any auditor's prize is not divisible by $1.5, then it is not possible to fairly distribute the prize for that auditor.

  • It is common for a contest to have a finding with many duplicates, which payout is less than $1.

  • It is also common for distributing events (e.g. airdrops, prize distribution) to have a percentage not divisible by 0.01%.

Therefore it will not be possible to distribute the prize with accuracy in such use-cases.

While it is technically possible to distribute the rewards using more than one sponsor transactions and equal number of distribution transactions, it will significantly complicate the reward calculation. In that case it will be better to just use standard ERC20 transferring to the winners, which defeats the purpose of the protocol to begin with. Therefore submitting as high.

Impact

It may not be possible to distribute rewards with high enough precision, blocking many realistic use cases.

Tools Used

Manual review

Recommendations

Use 10**18 for BASIS_POINTS instead of the current value, which should be precise enough.