Winner can provide blacklisted address to prevent payouts.
Summary
The winner of a contest can provide a blacklisted address to prevent payouts to other winners as well.
Vulnerability Details
Some tokens like USDC and USDT implement blacklists, which prevent token interactions with blacklisted addresses. This can be used to prevent payouts to other winners.
Say a winner provides such a blacklisted address. When the _distribute function tries to pay out to this address, the entire call will revert.
Since this is implemented in a for loop, the payouts to other participants will also revert. In fact the proxy deployment itself will revert. Thus no reward contract will be created, and rewards will be distributed to the participants. Thus the winner can prevent payouts to other participants. This would require admin intervention to recover the funds, which can be done after the grace period is over.
Since a single user can grief the rewards of other users, this is a high severity vulnerability.
Impact
One user can grief the rewards of other users.
Tools Used
Manual Review
Recommendations
Use a pull pattern, where winners are required to claim their rewards. This will prevent griefing attacks.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.