no duplication check for winners array
Summary
Duplicate Address Distribution in _distribute Function
Vulnerability Details
The vulnerability in the provided code is the absence of a check for duplicate addresses within the winners array. This vulnerability can lead to unintended behavior and financial loss due to multiple distributions being sent to the same winner if they appear more than once in the array.
Impact
-
Unfair Distribution: Some participants may receive more tokens than others due to duplicate entries, leading to an unfair distribution of rewards.
-
Financial Loss: Distributing tokens to duplicate addresses results in a higher expenditure than planned, which can lead to unexpected financial losses for the distributor.
-
User Confusion: Duplicate distributions can confuse users who receive unexpected token amounts, potentially damaging the reputation of the distribution mechanism.
Tools Used
Manual code reviews
Recommendations
It is essential to add a check for duplicate addresses within the winners array before proceeding with the distribution. The suggested mitigation involves iterating through the winners array and comparing each address to all subsequent addresses to identify duplicates. If a duplicate is found, the function should revert to prevent further execution.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.