Sparkn

Summary

f the token being used has a blacklist mechanism and the STADIUM_ADDRESS is on that blacklist, the _commissionTransfer function will fail, causing the entire _distribute function to revert. This can disrupt the intended distribution of tokens to winners.

Vulnerability Details

The _distribute function is responsible for distributing tokens to winners based on specified percentages. After distributing to the winners, the remaining tokens (commission) are sent to STADIUM_ADDRESS using the _commissionTransfer function.

If the token being used has a blacklist mechanism and the STADIUM_ADDRESS is blacklisted, the token.safeTransfer(STADIUM_ADDRESS, token.balanceOf(address(this))); line in _commissionTransfer will fail. This will cause the _distribute function to revert after it has already sent tokens to some winners, leading to an inconsistent state and potential loss of funds.

Impact

If STADIUM_ADDRESS is blacklisted, the _distribute function will fail after sending tokens to some winners, leading to a brick contract with that token.

Tools Used

Manual review

Recommendations

Separate Commission Withdrawal: Implement a separate function to withdraw the commission to STADIUM_ADDRESS. This way, even if the transfer to STADIUM_ADDRESS fails, the distribution to winners will not be affected.
Fallback Mechanism: Implement a fallback mechanism where, in case of failure to transfer to STADIUM_ADDRESS, the commission is sent to a backup address or can be manually withdrawn by the contract owner.