ERC20 Token Blacklist Mechanism Interference with `_distribute()` function

Severity

High Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-08-sparkn/blob/main/src/Distributor.sol#L116-L156

Summary

ERC20 Token Blacklist Mechanism Interference with _distribute() function.

Vulnerability Details

The _distribute() function in the provided code is responsible for transferring an ERC20 token to a list of winners and subsequently to the STADIUM_ADDRESS. The function assumes that all safeTransfer operations will succeed. However, if the ERC20 token being used has implemented a blacklist (or any other restrictions on transfers), and one of the recipient addresses (either a winner or the STADIUM_ADDRESS) is on that blacklist, the safeTransfer operation will fail.

Given that the function does not handle such transfer failures, the entire transaction will revert, meaning no winners would receive their rewards, and no commission would be sent to STADIUM_ADDRESS.

Impact

Winners might not receive their rewards.
Commission may not be sent to STADIUM_ADDRESS.
Loss of gas fees for whoever triggers the _distribute() function.
Potential loss of trust or reputation if such a failure occurs, especially if this is part of a public contest or event.

Tools Used

Manual code review.

Recommendations

Validation Before Transfer: Before executing transfers, check if the addresses (winners or STADIUM_ADDRESS) are able to receive the tokens. This can be done if the ERC20 token provides a method to check blacklisting or transfer restrictions.
Error Handling: Implement error handling mechanisms to provide clearer feedback when a transfer fails. This can be combined with the aforementioned validation.
Alternative Distribution Mechanism: Consider an alternative distribution mechanism where each winner claims their prize. This way, if one winner is on a blacklist, it doesn't block others from receiving their rewards.

Cyfrin / 2023-08-sparkn