Blacklisted address cannot receive the tokens and it will fail the _distribute function
Summary
When using Stablecoins such as USDC, there exists a case where the funds for every participant will locked permanently. This is due to the blacklist system which is implemented by USDC and many other popular well-reputed tokens.
Vulnerability Details
Blacklisting is certainly not uncommon and is used many of the popular token used for payments, such as the stablecoin USDC. An address can get blacklisted for illegal activities, some were blacklisted for just using tools like Tornado Cash to keep their transactions private and it is also perfectly possible for a disgruntled participant to intentionally blacklist his address to block the withdrawal of funds.
In the _distribute function of Distributor.sol, a loop iterates through the list of winner addresses, transferring the respective amounts. If any of the winning addresses is blacklisted (due to legal reasons, privacy tools, or other motives), the contract will revert, effectively locking all funds in the contract. This is because the revert occurs before the contract can continue distributing funds to other participants.
Impact
The vulnerability can lead to a situation where all funds in the contract become permanently locked. This results in financial losses for all participants, making it impossible for them to access their funds.
Tools Used
Manual Analysis
Recommendations
The _distribute function should be modified to check if the winner's address is blacklisted before attempting to transfer funds. If the address is blacklisted, the function should skip that address and continue with the next one.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.