Summary

The _distribute function in the smart contract calculates the amount to distribute to each winner based on their respective percentages. However, for tokens that do not allow transfers of zero amount, and in cases where the calculated amount rounds down to zero, the distribution will fail.

Vulnerability Details

The vulnerability arises from the calculation of the distribution amount using the formula totalAmount * percentages[i] / BASIS_POINTS. If a winner's percentage is small, or if the totalAmount of tokens to be distributed is low, the calculated amount can round down to zero. Many token contracts do not allow transfers of zero amount, considering them as no-ops or even reverting the transaction. As a result, when the _distribute function attempts to transfer a zero amount, the token's safeTransfer function can revert, causing the entire distribution process to halt.

Impact

If any winner's calculated distribution amount rounds to zero, the entire distribution process will fail.

Tools Used

Manual Review

Recommendations

Before executing the safeTransfer function, check if the calculated amount is greater than zero. If the amount is zero, skip the transfer for that particular winner and continue with the next one.