Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Possible DoS in distribution of rewards because of token reverting on Zero Transfer.

breeje

Summary

DoS in distribution because of token reverting on Zero Transfer.

Vulnerability Details

Organizers pass values like: token, winners addresses and their corresponding percentages.

File: Distributor.sol
function _distribute(address token, address[] memory winners, uint256[] memory percentages, bytes memory data)
internal
{
// --------- SNIP: Input Validation -------- //
IERC20 erc20 = IERC20(token);
uint256 totalAmount = erc20.balanceOf(address(this));
// --------- SNIP -------- //
for (uint256 i; i < winnersLength;) {
uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;
@-> erc20.safeTransfer(winners[i], amount);
unchecked {
++i;
}
}
// --------- SNIP -------- //
}

Issue over here can arise in the calculation of the amount of rewards.

uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;

There are Weird tokens which reverts on zero transfer. So in case their percentage is very low and token has lower number of decimals, it is possible that the value of amount can be rounded down to 0.

This way, the function will revert on line marked with @-> above leading to DoS. That is why it is recommended to add a check that amount > 0 before transferring.

Impact

DoS in distribution

Tools Used

VS Code

Recommendations

Make the following change:

File: Distributor.sol
function _distribute(address token, address[] memory winners, uint256[] memory percentages, bytes memory data)
internal
{
// --------- SNIP: Input Validation -------- //
IERC20 erc20 = IERC20(token);
uint256 totalAmount = erc20.balanceOf(address(this));
// --------- SNIP -------- //
for (uint256 i; i < winnersLength;) {
uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;
+ if(amount > 0){
erc20.safeTransfer(winners[i], amount);
+ }
unchecked {
++i;
}
}
// --------- SNIP -------- //
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.