Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Follow pull over push pattern.

0xsandy

Summary

The _distribute() of Distributor.sol sends amount back to the winners in a loop which may cause serious problem if the transfer reverts.

Vulnerability Details

This protocol accepts USDC token which can be blacklisted and token transfer to the blacklisted address always reverts.

Impact

As the likelihood of winners token getting blacklisted is very low, but if it does, the whole distribute() function reverts which will brick the withdrawal process. Then the blacklisted winner needs to be removed and distribute() needs to be called again with different data which is not possible in case of meta-transaction using deployProxyAndDistributeBySignature(). Hence, The owner need to call deployProxyAndDistributeByOwner() by removing the blacklisted winner which will again take a additional week to be called. But tokens are not stuck forever, hence the low severity.

Tools Used

Manual Analysis.

Recommendations

Use pull over push pattern. Implement a withdraw() for winners to be able to withdraw their tokens themselves instead of manually sending them in a loop.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.