Rewards distribution will be DoS if any of the contest winners is blacklisted from the rewards tokens
Summary
Distributor.sol: if any of the winners is blacklisted from the rewards tokens; then this will DoS of rewards distribution.
Vulnerability Details
-
Contest rewards are distributed to the winners after the contest ends.
-
The rewards are distributed to the winners by invoking any of the
deployProxyAndDistribute,deployProxyAndDistributeBySignature&deployProxyAndDistributeByOwnerfunctions in theProxyFactorycontract. -
This will call the
distributefunction in the implementation (Distributor) contract; which will distribute the rewards for each winner in a loop:for (uint256 i; i < winnersLength;) {uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;erc20.safeTransfer(winners[i], amount);unchecked {++i;}} -
But some tokens have a blacklist where certain accounts are prohibited from having/transferring any tokens.
Impact
So if any of the winners is blacklisted in the reward token; then this will prvent rewards distribution to other winners as the
distributefunction will always revert.
Proof of Concept
Tools Used
Manual Testing.
Recommendations
Add a mechanism in the Distributor contract that enables each winner from claiming his rewards individually (pulling) instead of sending it directly (pushing).
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.