Sparkn

Summary

The "Distributor" contract in the SPARKN system is designed to distribute ERC20 tokens (e.g., JPYC, USDC, USDT, DAI) to winners of contests. The contract uses the "_distribute" function to transfer tokens to multiple winners' addresses based on the provided percentages.

Vulnerability Details

One potential vulnerability in the current design is the possibility of a denial-of-service (DoS) scenario occurring due to the distribution process. If any of the winners' addresses are blacklisted or contain contracts with non-compliant receiving functions, the "safeTransfer" calls may revert and prevent further distribution. Since the distribution process is carried out sequentially, a single failed transfer could halt the distribution to all subsequent legitimate winners.

Impact

The root cause of this issue lies in the fact that each transfer is executed individually within a loop, and a reverted transfer will result in the entire transaction being reverted. This design does not account for the potential reverts due to blacklisted addresses or non-compliant contracts.

Tools Used

Manual analysis

Recommendations

To mitigate the risk of a DoS scenario and ensure reliable token distribution, the following recommendation is proposed:
Modify the distribution logic to batch transfers to winners. This way, even if one transfer fails, it won't affect other transfers within the same batch. Batch transfers are more efficient and reduce the risk of partial distributions.