Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Transfers in loops

aballok

Summary

Project loops over array of winners in order to pay them

Vulnerability Details

Distributor.sol line 145 makes transfers of token winnings in a loop. This has several problems that

it adds gas overhead for the protocol
it may lead to Out of Gas, if the array of winners is too large, meaning no one can be paid
if one of the payments fail in the loop e.g blacklisted address for blacklisted token or some other reason that may cause a single of the erc20.safeTransfer(winners[i], amount); such DOS leads to to fail all the other transfers fail due to atomicity of blockchain meaning that just one winner revert implies all other winners cant be paid

Impact

Tools Used

Manual Analysis

Recommendations

It is recommended to make use of Pull Over Push Withdrawal pattern for payments to prevent especially DOS failure or attacks
Pull Method implies saving winnings in some way e.g mapping and winners can withdraw their payments themselves
By using pull method it reduces chances winners don't get paid due to loop transfers that can lead to DOS, reverts, over use of gas etc

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.