Sparkn

Summary

The _distribute function in the provided smart contract is designed to distribute tokens to a list of winners based on specified percentages. While the function checks for the correctness of the total percentage, it does not check for the possibility of a winner's address being included multiple times. This oversight can lead to unintended distribution of tokens.

Vulnerability Details

In the _distribute function, tokens are distributed to winners based on the percentages provided. The function checks if the total percentage is correct and if the length of the winners array matches the length of the percentages array. However, there is no check to ensure that a winner's address is not included multiple times in the winners array.

This means that a malicious actor could potentially include the same address multiple times with different percentages, leading to an unintended distribution of tokens to that address.

Impact

A malicious actor could cheat to receive more tokens than intended. This could lead to a loss of funds for other legitimate winners and could undermine the trust in the contract's distribution mechanism.

Tools Used

Manual review.

Recommendations

Implement a check in the _distribute function to ensure that each winner's address is unique.
As suggested, one way to ensure uniqueness is to force users to send the winners in ascending order and check that each subsequent address is greater than the previous one.