USDC Blacklisted addresses can DoS the distribute token system.
In the current given code the distribution of tokens to winners is processed in a for loop (https://github.com/Cyfrin/2023-08-sparkn/blob/main/src/Distributor.sol#L145) . However, a 'safeTransfer()' to USDC blacklisted user will fail. It will also brick the distribution token system because the blacklisted user is never cleared.
https://github.com/Cyfrin/2023-08-sparkn/blob/main/src/Distributor.sol#L145-L151
DoS of USDC distribution token system and the whole remaining funds would be transferred to 'STADIUM_ADDRESS' through _commissionTransfer() (https://github.com/Cyfrin/2023-08-sparkn/blob/main/src/Distributor.sol#L163)
And if the 'STADIUM_ADDRESS' is also Blacklisted then all the tokens would be locked up in the contract making a huge loss of funds.
Manual Review
Skip blacklisted users before the distribution of tokens.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.