Sparkn

Summary

If a token like USDC or USDT gets added to a contract-level admin controlled address blocklist
during the execution of the _distribute function, it could potentially lead to unexpected consequences
and issues in the distribution process.

Vulnerability Details

Here's how it might play out:

The _distribute function starts by checking if the provided token address is whitelisted using the _isWhiteListed function.

If the token is not whitelisted, the function reverts with Distributor _InvalidTokenAddress.

Impact

However, if the token holder was not initially blocked but gets added to the blocklist,
while the _distribute function is running (which is an external event and could occur independently),
the function wouldn't have this updated information during its execution.

As a result, the function might proceed as if the token is still valid for distribution,
leading to the execution of the safeTransfer calls to the winners' addresses.

However, since the blocklist has been applied to the winner/s addressess, the safeTransfer calls would fail.

Tools Used

Manual Review

Recommendations

To mitigate this issue, the _distribute function should ideally incorporate a check at the time of
transferring tokens to ensure that the recipient is not on the blocklist.
This check would need to be performed right before each safeTransfer call,
ensuring that the tokens being transferred are not affected by any blocklist changes that might have occurred during the function's execution.