Rewards can be distributed at anytime, an undefined number of times and by anybody
Summary
_distributeRewards function is callable by any user and does not make any check which prevents it from being called.
Vulnerability Details
The _distributeRewards() function should only be available once the voting has been completed and it should be callable only once. There is no check or modifier which prevents the function from being called by anybody, to be called several times and to be called even before the voting being completed.
Allowing this function to be called in the explained conditions will make the reward distribution unfair, for example:
-One or several 'for' voters could steal all the funds in the contract if there are no votes. They can call vote(true) and after _distributeRewards() so all the funds in the contract will be transferred to them.
-Any malicious user could call the _distributeRewards() function before any votes have been made, which will transfer all the funds to the creator instantly.
-If there is any ether left after calling the function once, several uses are allowed to drain all the remaining funds from the contract.
Impact
Very HIGH impact for allowing anybody to drain funds from the contract as soon as it is created.
Tools Used
Foundry, Solidity
Recommendations
It is highly desirable to add two checks to the _distributeRewards() function, one which makes sure the voting has been completed and a state variable that allows to use the function only once:
bool private s_rewardDistributionCompleted;
...
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.