When sum of winners percentage is an irrational number, the distribution will failed
Summary
When sum of winners percentage is an irrational or fractional number, (for example, when decided 3 winners with equal amount of percentage), the distribution award/reward will failed
Vulnerability Details
The Distributor contract is being used to distribute ERC20 token to winners. The distribute() function contains token address, winners address list with its percentage, and bytes of data.
The winner's percentage is not regulated to have a specific amount percentage, but one thing to keep in mind is the totalPercentage should equal 10000 - COMMISION_FEE, and as commision fee is a constant 500 (in other word, there is 5% commision), thus, totalPercentage should be 9500.
A case scenario when there are 3 winners with expected to have equal percentage, so all totalPercentage should be 9500. But 9500 divided by 3 is 3166.667, since there is no fractions or decimals in solidity, we can round down as 3166. But this 3166 if multiply by 3 is 9498, which is not 9500, thus a revert will occurs because not passing the check.
There are many other scenario, not limited to only 3 winners, the point is, when the winner percentage is irrational number, the reward distribution will failed.
Impact
Distributor can't process same winners with its percentage is irrational number (for example 3 winners equal percentage), because the sum will not be 9500, thus revert.
Tools Used
Manual analysis
Recommendations
Revise the percentage calculation, and assume all percentage input total will be 100%, then one of way to do is to take commission fee percentage on each winner's percentage, and expect to have a rounded down / up with no other revert statement if the result is not 100% correct.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.