Sparkn

Summary

If a high sum of reward is set by the sponsor/organizer, e.g. 12188640972349073202481156316703990300344208912172690951521850948201382068 which they need to give to a single winner, then the _distribute() function in Distributor.sol overflows and reverts.

Vulnerability Details

Audience who have very little technical experience on the web3 side are expected to be the users of the protocol. As such, they would expect that if they set a reward amount less than type(uint256).max, then they should be able to give away 95% of this amount to a single winner by using the deployProxyAndDistribute() or deployProxyAndDistributeBySignature() function. (They would assume the code must be calculating 0.95 of this reward amount, hence designing the data like below)

However, since we are using basis-point convention, the actual amount the code allows is type(uint256).max / 9500.

Organizers and sponsors should be stopped in advance from planning such a contest, or a constraint should be applied somewhere in code.

Impact

Organizer not able to distribute reward to the winner.

Tools Used

Manual inspection

Recommendations

• Organizers and sponsors should be stopped in advance from planning such a contest, or a constraint should be applied somewhere in code.
  

• Another way is to "split" the winnings by having winner & percentage arrays like this, so that the same winner gets the amount split across two transactions. But this will have to be told to the organizer off-chain, or will have to be implemented somehow in the code: