In Distributor.sol, Calls inside loops that may address DoS
Summary
Calls inside loops that may address DoS
Vulnerability Details
Impact
Calls to external contracts inside a loop are dangerous because it could lead to DoS if one of the calls reverts or execution runs out of gas. Such issue also introduces chance of problems with the gas limits.
In Distributor.sol, _distribute() function which is using low level call function is being used inside a for-loop.
It is to be noted here, openzeppelin safeERC20 is used in contract and safeTransfer() is used in _distribute(). safeTransfer() is given as below which uses low level call function. It can be checked here and here
Per SWC-113:
External calls can fail accidentally or deliberately, which can cause a DoS condition in the contract. To minimize the damage caused by such failures, it is better to isolate each external call into its own transaction that can be initiated by the recipient of the call.
Reference link- https://swcregistry.io/docs/SWC-113
Other References
Similar Medium severity issue found in Cudos audit: Reference link
SWC-113(DoS with Failed Call): Reference link
Consensys best practices: Reference link
Tools Used
Manual review
Recommendations
Avoid combining multiple calls in a single transaction, especially when calls are executed as part of a loop
Always assume that external calls can fail
Implement the contract logic to handle failed calls
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.