The addDistribution function does not include checks for null address inputs, future expiry timestamps, or non-zero total amounts.
The addDistribution function in the MerkleDistributor contract is designed to add a new token distribution. However, there are several checks missing in the function's logic:
There is no verification that the _token address is not the zero address or a known dead address, which could lead to adding a distribution for an invalid or unintended token.
The _expiryTimestamp parameter is not validated to ensure that it represents a future time, which could result in a distribution with an immediate or past expiry time.
The function does not confirm that the _totalAmount parameter is greater than zero, opening the possibility of creating a distribution with no tokens to distribute.
The contract could record distribution for an invalid token address, potentially causing confusion or misuse.
Distributions could be created with an expiry timestamp that has already passed or is immediate, possibly leading to issues with claiming tokens.
A distribution with a zero total amount could be added, which might cause errors in the distribution process or allow for pointless transactions that waste gas.
Manual review
Implement the following checks within the addDistribution function:
Verify that the _token address is not the zero address or a known dead address to prevent adding distributions for invalid tokens.
Ensure that the _expiryTimestamp is a timestamp in the future to avoid issues with token claims.
Check that the _totalAmount is greater than zero to guarantee that the distribution is meaningful.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.