Sparkn

Summary

The vulnerability involves addresses that are decided as winners and tied with their respective percentages to constitute 100% of the rewards minus the COMMISSION_FEE. If one or more of these addresses are blacklisted by the token being used for rewards (e.g., USDC), rewards distribution cannot be executed because the system is unable to make the transfer. This can lead to funds being stuck in the contract.

Vulnerability Details

1. Owner calls setContest with the correct salt.

2. The Organizer sends USDC as rewards to a pre-determined Proxy address.

3. One or more winners are blacklisted by the USDC operator.

4. When the contest is closed, the Organizer calls deployProxyAndDistribute with the registered salt to deploy a proxy and distribute rewards. However, the call to distribute fails because Distributor._distribute reverts at Line 147 due to the presence of blacklisted addresses.

5. USDC held at the Proxy becomes stuck and cannot be distributed to non-blacklisted winners.

Impact

The impact of this vulnerability is marked as Medium because when the issue occurs, funds would be blocked until either blacklisted winners are removed or their addresses are changed. If the blacklisted winners are removed, the reward system becomes unfair. If their addresses are changed, it could be blocked by the winners' actions for a proportionally long time, depending on the number of blacklisted addresses. This has the potential to disrupt the distribution process (griefing).

Tools Used

Manual Review

Recommendations

To mitigate this vulnerability, the following recommendations are made:

1. Save winners and their claimable rewards into storage. Move the token transfer to winners into a separated claim function. This way, other winners won't be blocked from obtaining their rewards.

2. Implement a function for blacklisted winners to change their addresses, allowing them to receive their rewards without causing a distribution blockage.