Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Distribute process may be DOS'd if one of the sponsors is on the ERC20 blacklist

madalad

Summary

Some tokens such as USDC and USDT (two tokens that SPARKN intends to have whitelisted) implement a blacklist feature, which prevents addresses added to the blacklist from transferring or receiving any tokens. If one of the supporters addresses is on the blacklist, the entire distribution process can be DOS'd.

Vulnerability Details

In Distributor#_distribute, tokens are sent to each winner using a for loop.

File: src\Distributor.sol
144: uint256 winnersLength = winners.length; // cache length
145: for (uint256 i; i < winnersLength;) {
146: uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;
147: erc20.safeTransfer(winners[i], amount);
148: unchecked {
149: ++i;
150: }
151: }

If any one winner is blacklisted, then the safeTransfer call will revert, and so too will the distribute transaction.

Impact

Organizer and owner would be unable to distribute tokens to winners.

Tools Used

Manual review

Recommendations

Wrap the call to safeTransfer in a try catch so the for loop executes even if one or more of the winners is blacklisted. The funds intended to be sent to them will instead go to the STADIUM_ADDRESS as commission, and the situation can be reevaluated between the relevant parties afterwards, while the rest of the winners receive their tokens.

for (uint256 i; i < winnersLength;) {
uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;
- erc20.safeTransfer(winners[i], amount);
+ try erc20.safeTransfer(winners[i], amount) {} catch (bytes memory reason) {}
unchecked {
++i;
}
}

Alternatively, use a pull over push pattern, allowing users to make a call to the contract to collect their own winnings rather than sending the tokens all at once in one transaction.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!