Summary

The addDistribution function does not include checks for null address inputs, future expiry timestamps, or non-zero total amounts.

Vulnerability Details

The addDistribution function in the MerkleDistributor contract is designed to add a new token distribution. However, there are several checks missing in the function's logic:

There is no verification that the _token address is not the zero address or a known dead address, which could lead to adding a distribution for an invalid or unintended token.

The _expiryTimestamp parameter is not validated to ensure that it represents a future time, which could result in a distribution with an immediate or past expiry time.

The function does not confirm that the _totalAmount parameter is greater than zero, opening the possibility of creating a distribution with no tokens to distribute.

Impact

The contract could record distribution for an invalid token address, potentially causing confusion or misuse.

Distributions could be created with an expiry timestamp that has already passed or is immediate, possibly leading to issues with claiming tokens.

A distribution with a zero total amount could be added, which might cause errors in the distribution process or allow for pointless transactions that waste gas.

Tools Used

Manual review

Recommendations

Implement the following checks within the addDistribution function:

Verify that the _token address is not the zero address or a known dead address to prevent adding distributions for invalid tokens.
Ensure that the _expiryTimestamp is a timestamp in the future to avoid issues with token claims.
Check that the _totalAmount is greater than zero to guarantee that the distribution is meaningful.