Sparkn

Summary

The provided code snippet contains a vulnerability that could potentially lead to trapped funds in a contract. The vulnerability arises in the _distribute() function, where the _distrubute() function will loop through the winners[] array and pay them out accordingly. For tokens such as USDT, USDC, a contract-level admin-controlled address blocklist feature exists, malicious or compromised token owners could block the contract's address. This would cause the entire transaction to revert, leaving the funds trapped within the contract.

Vulnerability Details

The vulnerability occurs in the _distribute() function, specifically in the loop that transfers tokens to the winners. Since the loop iterates over an array of winners' addresses and performs token transfers to these addresses, if any of the winners' addresses are blocked by the USDT's blocklist, the transfer will be forbidden, and the transaction will revert. This would result in funds becoming stuck in the contract, and the intended distribution of tokens would fail.

Impact

The problem with this is that if an address in the array is on the USDT block list the entire transaction will revert leading to a DOS of the contract and all of the funds stuck.

Tools Used

Manual Review

Recommendations

Possible solutions:

1. Implement 2-step Withdrawals:

• Users call the safeWithdraw function with their address as an argument.

• The function verifies the user's address and their non-zero balance.

• If both conditions are met, the function transfers the allocated tokens from the contract to the user's address.

2. Skip Blacklisted Users:

• Save all the blacklisted address in a variable.

• Skip those addresses in the processWithdrawals loop.

3. Address Verification: Prior to performing any token transfers in the _distribute
   function, validate each winner's address against the token's blocklist. If any address
   is found to be blocked, skip the transfer for that specific winner.