Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

using percentages mechanism to distribute the tokens limits the number of winners and prevents the organizer from distributing rewards to large number of users

castleChain

Summary

using the percentages to distribute the rewards limits the number of winners that can be used which will prevents the winners from getting their rewards , and can use Dos for the distribute function .

Vulnerability Details

in the #Distributor contract
in order to the organizer distribute the rewards between the winners , he calls the function deployProxyAndDistribute() or deployProxyAndDistributeBySignature() and should pass two arrays winners and percentages , the sum of the values of the percentages arrays can not exceed 9500 bps which is the result of 10_000 - COMMISSION_FEE which is equal to 10_000 - 500 = 9500 .
The vulnerability arises due to the limitation of the number of the winners that can be rewarded , and there is no limits of the number of winners specified in the README.

POC

there are 2 scenarios this vulnerability can be happened :

1)if the organizer has e.g 8000 winners , and the first winner is given 1000 basis point from the totalAmount , which represents 10% , and the secound winner is given another 1000 basis points , so the remaining basis points are : 10000 - 1000 -1000 -500(as fee) = 7500 basis points , so if the organizer wants to divide the remaining amount of the tokens in equal quantities between the remaining winners which are 7998 winners , so because of the minimun percentage of the winner is 1 , the function will revert because of the sum of the percentages is greater than 9500 ,which is (10000 - COMMISSION_FEE), so this will prevent the winners from getting their rewards .

2)if the organizer has number of winners is greater than 9500 , and want to distribute the reward in equal quantities between all the winners , this will lead to the reversion of the function because of the sum of percentages is greater than 9500 , so this will lead to prevent the winners from getting their rewards .

--> function _distribute(address token, address[] memory winners, uint256[] memory percentages, bytes memory data)
internal
{
// token address input check
if (token == address(0)) revert Distributor__NoZeroAddress();
if (!_isWhiteListed(token)) {
revert Distributor__InvalidTokenAddress();
}
// winners and percentages input check
if (winners.length == 0 || winners.length != percentages.length) revert Distributor__MismatchedArrays();
uint256 percentagesLength = percentages.length;
uint256 totalPercentage;
for (uint256 i; i < percentagesLength;) {
--> totalPercentage += percentages[i];
unchecked {
++i;
}
}

the check that will cause the _distribute() function to revert :

if (totalPercentage != (10000 - COMMISSION_FEE)) {
revert Distributor__MismatchedPercentages();
}

Impact

this vulnerability will prevent the organizer from distributing the rewards to the winners , and cause the _distribute() function to always revert in this case , which is consider as loss of funds for the winners .

Tools Used

manual review

Recommendations

use a dynamic shares mechanism which allow the organizer to specify a number of shares for each user , and then calculate the sum of shares and cut the fee as a percentage form the total amount of tokens , so this will ensure an unlimited number of winners .

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.