Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Lack of Validation for Winners' Addresses before transferring token to them

0xVinylDavyl

Summary

The _distribute function does not validate the addresses of winners before transferring tokens to them. This lack of validation can lead to unintended token transfers to invalid or malicious addresses, resulting in potential loss of funds.

Vulnerability Details

The _distribute function iterates through the winners array and transfers tokens to each winner's address without verifying if the addresses are valid. Malicious or incorrect addresses could exploit this vulnerability to receive tokens that were not intended for them.

function _distribute(address token, address[] memory winners, uint256[] memory percentages, bytes memory data)
internal
{
// ... (other code)
for (uint256 i; i < winners.length;) {
uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;
erc20.safeTransfer(winners[i], amount);
unchecked {
++i;
}
}
// ... (other code)
}

Impact

Attackers can potentially receive tokens that were supposed to be distributed to legitimate winners. This can lead to financial loss for the distribution process and damage to the reputation of the contract.

Tools Used

Manual

Recommendations

Before transferring tokens to winners, ensure that each winner's address is valid and not equal to the zero address. You can add address validation checks using the require statement:

function _distribute(address token, address[] memory winners, uint256[] memory percentages, bytes memory data)
internal
{
// ... (other code)
for (uint256 i; i < winners.length;) {
require(winners[i] != address(0), "Invalid winner address");
uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;
erc20.safeTransfer(winners[i], amount);
unchecked {
++i;
}
}
// ... (other code)
}

By adding the require statement, you prevent token transfers to invalid addresses, improving the security of the distribution process.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.