Summary

The _distribute function in the smart contract is designed to distribute tokens to a list of winners based on specified percentages. However, if one of the winners is blacklisted by the token's contract (some tokens have blacklisting mechanisms for various reasons), the safeTransfer function will fail, causing the entire distribution to revert.

Vulnerability Details

The issue arises from the lack of handling for potential transfer failures in the _distribute function. When the function iterates over the list of winners to distribute tokens, it uses the safeTransfer function from the OpenZeppelin library. If the transfer fails for any reason, such as a winner being blacklisted by the token's contract, the safeTransfer function will revert, causing the entire distribution process to stop.

Impact

If one of the winners is blacklisted, none of the winners (including those after the blacklisted winner in the list) will receive their tokens.

Tools Used

Manual Review

Recommendations

Consider using a low level call to execute the transfer, and skipping the case where the call doesn't succeed (returns false), the funds can rescued later by the owner after expiration.