Sparkn

Summary

Failure to distribute rewards in a contest funded with USDC/USDT.

Vulnerability Details

It is stated in the NatSpec comments that the protocol intends to work with USDC, USDT, JPYCv1, JPYCv2 and DAI. USDC and DAI are tokens that implement an admin controlled blacklist. If a certain address is on that blacklist the transfer to it will revert. Due to the fact that awards are distributed with a push pattern and there is a transfer on any iteration of the below loop...

...if one of those transfers fails because one winner[i] is blacklisted , then the whole transaction will revert and other winners will not get their rewards as well.This can also cause trouble if a blacklisted sponsor tries to load the precomputed proxy address with USDC/USDT. However above the _distribute function in Distributor.sol there is the following comment @notice An internal function to distribute JPYC to winners. I am not sure whether this logic will only be used for distributing JPYC but since there is no other logic implemented for contests funded with either of the other stable coins I believe this is a valid issue.

The impact of this is high because funds won't be able to be distributed. However the likelihood is low because first the contest has to be funded with either USDC or USDC and second it requires a special condition than one of the winners is blacklisted either in USDC or USDT's blacklist. Therefore I am choosing medium severity.

Impact

Winners(supporters) won't be able to receive their rewards if one of them is blacklisted.

Tools Used

Manual Review

Recommendations

This happens because of the push pattern used to distribute funds. I do not think a pull pattern is an appropriate recommendation here having in mind the logic and the purpose of the protocol. In my opinion off chain monitoring for blacklisted addresses might be useful but I am not sure how this can be 100 percent prevented.