Summary

Arrays do not check if values are zero or zero addresses

Vulnerability Details

There is functionality that makes use of array arguments but does not check sanity check if values in the array may be zero values e.g uint256(0) or address(0) which leads to the functionality breaking or not working as intended.

Distributing to winners Distribute.sol line 116 _distribute(..., address[] memory winners, makes use of values in the winners array to make payments without checking if each individual address is address(0) or not

Distributing to winners Distribute.sol line 146 calculates amounts to each winner and if percentage is 0, winner gets 0 payout and this may have been by error because uint256[] memory percentages array was not checked for zero values e.g Intention was to enter [1000,80] but by error enters [1000,00] in winners array since this is done offchain

Impact

Not checking the above addresses before transfers can lead to the following problems depending on the token implementation

• tokens being lost as sent to zero address

• reverts in loops which means all other distributions fails

• if percentages value in array percentages is zero value by error or malicious choices; a winner is not paid

Another impact is whitelisting tokens that does not check if address(0) for tokens submitted in array for constructor in
ProxyFactory.sol line 81 leading to project not working as expected especially given you cant update whitelisted tokens.

Tools Used

Manual Analysis

Recommendations

It is recommended that before using each individual value from the array check that the value is not zero or address(0) may do checks like this