If a token like USDC or USDT gets added to a contract-level admin controlled address blocklist
during the execution of the _distribute function, it could potentially lead to unexpected consequences
and issues in the distribution process.
Vulnerability Details
Here's how it might play out:
The _distribute function starts by checking if the provided token address is whitelisted using the _isWhiteListed function.
If the token is not whitelisted, the function reverts with Distributor _InvalidTokenAddress.
Impact
However, if the token holder was not initially blocked but gets added to the blocklist,
while the _distribute function is running (which is an external event and could occur independently),
the function wouldn't have this updated information during its execution.
As a result, the function might proceed as if the token is still valid for distribution,
leading to the execution of the safeTransfer calls to the winners' addresses.
However, since the blocklist has been applied to the winner/s addressess, the safeTransfer calls would fail.
Tools Used
Manual Review
Recommendations
To mitigate this issue, the _distribute function should ideally incorporate a check at the time of
transferring tokens to ensure that the recipient is not on the blocklist.
This check would need to be performed right before each safeTransfer call,
ensuring that the tokens being transferred are not affected by any blocklist changes that might have occurred during the function's execution.
[M] Blocklisted tokens will not be distributed to winners
Severity
Medium Risk
Relevant GitHub Links
https://github.com/Cyfrin/2023-08-sparkn/blob/0f139b2dc53905700dd29a01451b330f829653e9/src/Distributor.sol#L116
Summary
If a token like USDC or USDT gets added to a contract-level admin controlled address blocklist during the execution of the _distribute function, it could potentially lead to unexpected consequences and issues in the distribution process.
Vulnerability Details
Here's how it might play out:
The _distribute function starts by checking if the provided token address is whitelisted using the
_isWhiteListedfunction.If the token is not whitelisted, the function reverts with Distributor
_InvalidTokenAddress.Impact
However, if the token holder was not initially blocked but gets added to the blocklist, while the _distribute function is running (which is an external event and could occur independently), the function wouldn't have this updated information during its execution.
As a result, the function might proceed as if the token is still valid for distribution, leading to the execution of the
safeTransfercalls to the winners' addresses.However, since the blocklist has been applied to the winner/s addressess, the
safeTransfercalls would fail.Tools Used
Manual Review
Recommendations
To mitigate this issue, the _distribute function should ideally incorporate a check at the time of transferring tokens to ensure that the recipient is not on the blocklist. This check would need to be performed right before each
safeTransfercall, ensuring that the tokens being transferred are not affected by any blocklist changes that might have occurred during the function's execution.