Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Payment fails completely if any of the winners is blacklisted by USDT/USDC

chinmay

Summary

The distribution logic involves sending some amount of tokens to each of the winners' addresses. But the distribution (and deployment) txn will completely fail if any of the winners has been blacklisted by USDT/USDC contract.

Vulnerability Details

At Distributor.sol L#147, the contract tries sending specific amounts of the declared token to the winners' addresses in a loop. If any of the transfer fails, the whole deployment and distribution txn is going to fail. One of the reasons a transfer might fail is due to an address being blacklisted. Instead, if we wrap the transfer logic in a try-catch block, the correct addresses will all receive their payment while the blacklisted address can be handled later.

Impact

Payment failure wastes so much of gas of organizer (if called via deployProxyAndDistribute) or of owner (if called via deployProxyAndDistributeByOwner). It will be a burden for the organizer/owner to build the data again and could lead to delay in payments.

Tools Used

Manual review

Recommendations

Wrap the token transfer logic inside the loop in a try-catch block.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.