Lack of Valid Address Validation in distribute Function
Summary
The contract fails to validate the addresses of winners during the execution of the distribute function, specifically by not checking if winners[i] is equal to address(0). This omission may result in the sponsor's tokens being transferred to a null address, making them irretrievable.
Vulnerability Details
The vulnerability arises from the absence of address validation for winners within the distribute function. Without verifying that winners[i] is not equal to address(0), there is a possibility that the sponsor's tokens may be mistakenly transferred to an invalid or null address.
Impact
Loss of sponsor's tokens: If a winner's address is uninitialized or set to address(0), the sponsor's tokens will be transferred to an invalid destination, making them irrecoverable.
Inability to retrieve tokens: Once tokens are transferred to an invalid address, there is no mechanism in place to recover or reclaim them, resulting in a permanent loss of funds.
Negative sponsor experience: Sponsors may experience frustration and dissatisfaction when their tokens cannot be properly distributed or retrieved due to this oversight.
Tools Used
Manual review
Recommendations
Implement address validation: Prior to executing the token transfer in the distribute function, add a validation check to ensure that winners[i] is not equal to address(0). This will prevent the transfer of tokens to invalid or null addresses.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.