Sparkn

Summary

The current implementation of the rewards distribution system lacks the ability to correct mistakes in specifying winners' addresses or their reward percentages once the distribution has been initiated. This can lead to financial discrepancies and potential conflicts.

Vulnerability Details

The Distributor.sol smart contract, as currently designed, proceeds with the distribution of rewards once the owner or organizer invokes the relevant function. However, there's a vulnerability stemming from human error where if the initiator inputs incorrect information regarding the winners or their corresponding reward percentages, the mistake is irreversible. With no provision to amend or adjust these details after they've been submitted, any erroneous entries can lead to rewards being misallocated.

POC:

• Owner sets up a new Contest

• Sponsors fund the contest

• Supporters have filed their submissions.

• The organizer/wner/judges finished judging the contest.

• The owner calls the deployProxyAndDistributeByOwner or the organizer calls the deployProxyAndDistribute function by choosing the winners.

• Post-calling, the initiator notices an error in either the winner's address or the percentage rewards.

• Issue: there is no way to recover this.

Impact

• Once the rewards distribution process starts, any mistakes made in specifying the winners or their reward percentages become irreversible.

Tools Used

Manual review

Recommendations

• Pre-publish the results, detailing the winners and their respective reward percentages, prior to initiating the rewards distribution.

• Introduce a review period post-publication. This will provide an opportunity to detect and correct errors before the funds are distributed.