Submission Details
Severity:
Blacklisted winner will block the other winner's prize.
Summary
Distributor._distribute() will distribute prize to winners.
If any of the transfer fails, e.g USDC blacklisting, a whole transaction will revert.
Vulnerability Details
uint256 winnersLength = winners.length; // cache length
for (uint256 i; i < winnersLength;) {
uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;
erc20.safeTransfer(winners[i], amount); // @audit - any of the winner is blacklisted.
unchecked {
++i;
}
}
Impact
DoS of Prize distribution
Tools Used
Manual Review
Recommendations
Should have claim() function where winners can withdraw their prize.
+ mapping(address => uint256) public prize;
+ IERC20 public prizeToken;
+ function claimPrize() external {
+ uint256 amount = prize[msg.sender];
+ if (amount > 0)
+ {
+ delete prize[msg.sender];
+ prizeToken.safeTransfer(msg.sender, amount);
+ }
+ }
+ prizeToken = erc20;
uint256 winnersLength = winners.length; // cache length
for (uint256 i; i < winnersLength;) {
uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;
- erc20.safeTransfer(winners[i], amount); // @audit - any of the winner is blacklisted.
+ prize[winners[i]] = amount;
unchecked {
++i;
}
}
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
19477 USDC / LOC
14,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.