Sparkn

Summary

Not too serious rounding error risk here, depending on how the protocol team sees this. (If NFTs or other indivisible tokens were used instead, for reward tokens, this risk would not exist.)

So for certain values for totalAmount and percentages[i] in the below line, the result will definitely be rounded down to zero, 0.

uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;

Vulnerability Details

uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;

Case 1: percentages[i] == 9500 == 95%, the max % value that can be used here because commission is 5%.
So, if only 1 ERC20 token is available as contest funds(unlikely), then:

amount = 1 * 9500 / 10000 = 0.95 = 0 after rounding down.

Result: winner gets 0 reward and STADIUM_ADDRESS receives more funds than it should get.

Case 2: percentages[i] == 100 == 1%:

amount = 99 * 100 / 10000 = 0.99 = 0 after rounding down.

Result: winner gets 0 reward and STADIUM_ADDRESS receives more funds than it should get.

Impact

• Some winner(s) wont get their share of reward, as safetransfer will just transfer 0 amount.

• and STADIUM_ADDRESS receives more tokens than it should get.

Tools Used

VSC, manual.

Recommendations

Several approaches could work but I'd recommend Fixed Point Math libraries like ABDK Math 64.64 to perform fractional calculations more accurately.