Sparkn

Summary

The _distribute function uses the safeTransfer method to send tokens to winners. If a token has a callback mechanism, a malicious actor can exploit this by always rejecting the transfer, effectively locking the contract and preventing further distributions.

Vulnerability Details

If a token has a fallback mechanism or any other callback mechanism that can be triggered upon receiving tokens (like for example ERC777), a malicious actor can set up their contract to always reject the transfer. This will cause the safeTransfer to revert, and since the distribution loop does not handle such reverts, the entire distribution process will fail.

This means that if even one winner in the list has a malicious setup, the distribution to all subsequent winners in the list will be halted, causing a Denial of Service.

Impact

The contract can be locked and made unusable if even one malicious actor is in the winners' list.
Funds could be locked indefinitely, causing potential financial loss and disruption of service.

Tools Used

Manual code.

Recommendations

• If the intention is to not support tokens with callbacks, this should be explicitly stated in the contract documentation and possibly checked at the contract level.

• Implement the pull over push pattern. Instead of sending tokens directly to winners, record the owed amounts in a mapping. Allow winners to withdraw their tokens individually. This way, even if one winner's withdrawal fails, it doesn't affect others.