Unbounded loop on array can lead to DoS
Summary
While calling distribute function, If the list of winners is very large, the transaction's gas cost could exceed the block gas limit and make it impossible to call this function at all.
Vulnerability Details
In the Distributor.sol contract,
The _distribute function takes the following parameters:
winners: An array of addresses of the winners
percentages: An array of the percentages of the total amount that each winner should receive
The function iterates through the winners array, calling the safeTransfer function of the ERC20 contract to transfer the respective amounts to each winner.
If the list of winner addresses is excessively large, it can cause the transaction's gas cost to exceed the block gas limit. As a result, the function may become impossible to execute and the transaction will revert due to exceeding the available gas, resulting in the function's execution being aborted.
Impact
It would cause the transaction to fail and the funds would be permanently locked in the contract.
Tools Used
Manual Analysis
Recommendations
To mitigate the risk of gas limit exceedance, it is recommended to implement a limit on the length of the winners' list that can be processed within a single transaction
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.