Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

allow sending rewards to the zero address will lead to lock the funds forever

castleChain

Summary

allow sending funds to the address(0) during the distribution of the funds in _distribute() function

Vulnerability Details

the function distribute() take an array of winners as an input ,

function distribute(address token, address[] memory winners, uint256[] memory percentages, bytes memory data)

and this function call the internal function _distribute() and pass the arrays of winners and percentages as parameters
in the function _distribute there is no check for the validation of the address of the winners and this function does not prevent sending tokens to the zero address , the absent of this check may lead to the funds to be locked forever .

function _distribute(address token, address[] memory winners, uint256[] memory percentages, bytes memory data)
internal
{
if (token == address(0)) revert Distributor__NoZeroAddress();
if (!_isWhiteListed(token)) {
revert Distributor__InvalidTokenAddress();
}
// winners and percentages input check
if (winners.length == 0 || winners.length != percentages.length) revert Distributor__MismatchedArrays();

Impact

the funds that are sent to the zero address will be locked forever .

Tools Used

manual review

Recommendations

add a check for the winners array inside the for loop to prevent passing the zero address as a winner.

for (uint256 i; i < percentagesLength;) {
--> if (winners[i] == address(0)) revert();
totalPercentage += percentages[i];
unchecked {
++i;
}
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.