Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Distributor#_distribute - Distribution proceeds can’t go through if any of the winners are blacklisted by the stablecoin

vangrim

Summary:

The Distributor.sol contract, which oversees the distribution of prizes or rewards to winners, will not be able to distribute rewards to any of the winners if one of them is blacklisted by the stablecoin.

Vulnerability Details:

Many of the known stablecoins, such as USDC and USDT have a list of blacklisted addresses. Interactions with these blacklisted addresses are not possible if you are on those lists.

The Distributor.sol contract has been set up to send proceeds to a list of winners through the distribute and _distribute functions to the winners.
During the distribution process, if any of the winners are found to be on the stablecoin’s blacklist, the entire distribution is halted and doesn’t proceed further since all of the winning addresses are in the for-loop:

for (uint256 i; i < winnersLength;) {

uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;

erc20.safeTransfer(winners[i], amount);

unchecked {

++i;

}

This means even a single blacklisted winner can stop the funds from being sent out to all winners, including those not blacklisted.

Impact

Distribution Disruption: The core functionality of the Distributor contract, i.e., distributing rewards, is severely affected. Legitimate winners can miss out on their rewards due to the presence of a blacklisted entity in the list.

Operational Delays: Administrators or operators would need to spend time identifying the blacklisted entities, potentially delaying rewards for all winners.

Loss of Trust: Continuous halting of distributions can result in a loss of trust among participants, harming the reputation of the platform.

Severity: High

Winners will not be able to receive their reward as intended because of the blacklist addresses.

Likelihood: Medium

While being blacklisted belong to the exception rather than the rule, it can happen and be unexpected and unintended for all parties involved.

Recommendations:

Below are some of the recommended steps to mitigate the blacklisting:

Isolate Blacklisted Entities: Modify the distribution function to skip over blacklisted winners and continue distributing to others. This ensures that legitimate winners are not punished due to the existence of a blacklisted entity.
Change addresses: Introduce a functionality for the winners to be able to change their address.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.