Sparkn

Summary

USDT, USDC, and JPYC employ blacklisting. A blacklisted winner will make the _distribute function fail.

Vulnerability Details

The problem revolves around the blacklist mechanisms within USDT, USDC, and JPYC tokens. If one of the winners is blacklisted, an attempt to use the safeTransfer function to distribute tokens to the blacklisted address will result in a failure. This failure triggers a gas loss due to the transaction's unsuccessful execution. The magnitude of this gas loss is directly proportional to the number of winners in the array.

Indeed, the winners are selected off-chain. But there’s no way of knowing if one of them is blacklisted before the actual try to _distribute rewards. The vulnerability is not high/critical because the funds won’t be stuck in the contract. The transaction will be resent without the blacklisted winner.

Impact

The loss incurred due to wasted gas could reach to significant amounts given that _distribute function uses a for loop to cycle through a winners array.

Tools Used

Manual review

Recommendations

If possible, use pull over push strategy for the transfers. This will allow the winners to claim their rewards at their earliest convenience, and a single blacklisted winner won’t stop the whole process. This could also help the process of moving the selection of the winner on-chain instead of off-chain.