Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

High number of winners will make reward distribution mechanism unusable

honeymewn

Summary

If there's a high number of winners organiser or owner will have to pay a large txn fee which might make the contract unusable.

Vulnerability Details

POC

MockERC20 weth;

function setUp() public {

// only deploy contracts

distributor = new Distributor(factoryAdmin, stadiumAddress);

// ----> weth = new MockERC20("Wrapped Ether", "WETH");

}

function testWithManyWinners() public {

weth.mint(address(distributor), 100e18);

vm.startPrank(factoryAdmin);

uint winnerCount = 100;

address[] memory winners = new address[](winnerCount);

uint[] memory percentages = new uint[](winnerCount);

for (uint i = 0; i < winnerCount; i++) {

winners[i] = address(uint160(i + 1));

}

for (uint i = 0; i < winnerCount; i++) {

percentages[i] = 9500 / winnerCount;

}

distributor.distribute(address(weth), winners, percentages, bytes("0"));

vm.stopPrank();

}

Test

forge test --match-test testWithManyWinners -vvv --gas-report

Output

|------------------------------------------|-----------------|---------|---------|---------|---------|

| 608747 | 3358 | | | | |

| Function Name | min | avg | median | max | # calls |

| distribute | 2805427 | 2805427 | 2805427 | 2805427 | 1 |

For 100 winners gas usage is at around 3M. Assuming gas cost of 100 gwei which was an average of 2021 bull market craze we get

>>> 2801501*100/1e9

0.2801501

which means 0.3 ETH is needed to distribute prizes. Further assuming eth price of 3000$ (average of 2021) we get around 1000$ for prize distribution!
There could actually be even more winners (up to 9500) so the price might be even higher. This a really high price and organizer may refuse to distribute prizes. Owner can refuse either because 5% might not be enough to cover the costs.

Impact

Supporters lose winnings or have to wait when it's economically viable for organizer or owner to distribute funds.

Tools Used

Recommendations

Use merkle trees for distributing prizes. The contract will only store the root of the tree and have a claim method which verifies a proof sent by a user.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.