Summary

Array values used together are not checked for ordering correctness

Vulnerability Details

Distributor.sol line 116 _distribute(address token, address[] memory winners, uint256[] memory percentages, bytes memory data) has two arrays winners, and percentages that are used in tandem implying ordering of elements in the array is very important as each element is used alongside the other element in same index position in other array.

It is critical that these arrays are ordered correctly. E.g [0xAlice, 0xBob] = winners and [6000, 3000]=percentages may be an error where in fact ordering was supposed to be [0xAlice, 0xBob] = winners and [3000, 6000]=percentages. These percentages determine who is paid what?

Impact

Medium impact as it disadvantages the users in that if not ordered correctly can result in winners being paid incorrectly as some are paid lower than they expected due to mismatch in ordering of the arrays.

Tools Used

Manual Analysis

Recommendations

It is recommended instead of using multiple arrays make use of struct that has values of the winners and their percentage so that each struct has information for its winner e.g

The above avoids problem of mismatch ordering arrays winners and array percentages, that can result in making incorrect payouts to winners