Sparkn

Summary

In Distributor.sol the distribute function will revert if the token transfer fails, preventing other winners from getting their rewards.

Vulnerability Details

There are several popular ERC20 tokens that implement a blocklist for users. Such tokens are USDT and USDC which are said to be used by the protocol, due to this comment in the constructor in ProxyFactory.sol:
* @notice The constructor will set the whitelist tokens. e.g. USDC, JPYCv1, JPYCv2, USDT, DAI
Supposing a winner address was included in such blocklist the transfer would fail, reverting the function. As the token transfers are executed in a for loop, the token transfers to all other users will also fail.

Impact

Winners would not be able to receive their rewards.

Tools Used

Manual review

Recommendations

In order to tackle the issue the owner would be required to remove the problematic address from the winners array and execute the function again. Although this may seem like an easy mitigation this could cause more issues as rewards would need to be redistributed to the rest of the winners in order to fulfill the needed percentages. One mitigation is implementing a push-pull pattern where the fees are sent first in the distribute function before any other token transfer.