Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

out of gas cases can lock `distribute` function very often

tripathi

Summary

A Contest having high prize pool/funds will attract a lot of participant and higher participation will increase winner length [Also Malicious can use so many accounts to participate and gaining some percentage for every account] making distribute function out of gas and locking money in contract

Vulnerability Details

SEE SUMMARY

both described cases can increase winner's length. Which will make impossible to execute distribute function to work due to out of gas error.
Also I'm thinking to bigger picture as Sparkn pointed out they will be doing government funded projects so pretty sure there will be a lot of participation and chances of winner length very often
Severity- high
likelihood- high

File: src/Distributor.sol
function _distribute(address token, address[] memory winners, uint256[] memory percentages, bytes memory data)
internal
{
[...............]
uint256 winnersLength = winners.length; // cache length
for (uint256 i; i < winnersLength;) {
uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;
erc20.safeTransfer(winners[i], amount);
unchecked {
++i;
}
}
[...........]
}

https://github.com/Cyfrin/2023-08-sparkn/blob/main/src/Distributor.sol#L143-L151C10

Impact

Distribution of reward for contest won't be possible by distribute function

Tools Used

Manual

Recommendations

it is always advised to follow withdraw pattern when protocol want to send funds to higher number of participants

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!