Description:

The constructor does not validate the addresses provided in the players array. Specifically, it does not check if any of the addresses are zero addresses (0x0000000000000000000000000000000000000000). Zero addresses are not valid recipients of ERC-20 tokens, and attempting to interact with them (e.g., transferring tokens) could result in unexpected behavior or the loss of funds.

Impact:

If a zero address is included in the players array, the following issues could arise:

• Token Loss: Attempting to transfer tokens to a zero address would lead to an irreversible loss of those tokens, as the tokens would be sent to an address that cannot be accessed by any user.

• Contract Failure: The contract might behave unexpectedly, leading to potential reverts or errors when interacting with the zero address.

• Inconsistent State: Including invalid addresses can disrupt the intended reward distribution, leading to a loss of trust in the contract's functionality.

Proof of Concept:

1. Deploy the contract with a zero address included in the players array:

   address[] memory players = new address[](2);

   players[0] = 0x0000000000000000000000000000000000000000;

   players[1] = 0xAddress2;

   ​

   uint256[] memory rewards = new uint256[](2);

   rewards[0] = 1000;

   rewards[1] = 2000;

   ​

   IERC20 token = IERC20(0xTokenAddress);

   new Pot(players, rewards, token, 3000);

2. Attempt to claim the reward for the zero address using the claimCut function.

3. The contract will either fail when trying to transfer tokens to the zero address, or the tokens will be lost permanently.

Recommended Mitigation:

Add validation in the constructor to ensure that no zero addresses are included in the players array. This can be done by iterating through the players array and checking each address before proceeding:

Example Fix:

This mitigation ensures that only valid addresses are included in the players array, preventing any unintended token loss or contract failures associated with zero addresses.