F-2025-0010·denial-of-service

Denial of service in AmbassadorRegistry::distributeFunds due to usdc/usdt blacklist behaviour

Fixedrafflelotteryvrf
TL;DR

distributeFunds loops over ambassadors and uses require on each transfer; a single blacklisted ambassador address reverts the entire batch, blocking all rewards.

Severity
MEDIUM
Impact
MEDIUM
Likelihood
MEDIUM
Method
MManual review
CAT.
Complexity
LOW
Exploitability
MEDIUM
02Section · Description

Description

The AmbassadorRegistry::distributeFunds function loops over all active ambassadors and transfers tokens using stablecoin.transfer:

solidity
require(stablecoin.transfer(ambassador, amountPerAmbassador), "Transfer failed");

If any ambassador address is blacklisted by usdt/usdc, the transfer will revert. This will cause the whole function to fail, preventing all other ambassadors from receiving their rewards.

03Section · Impact

Impact

Denial of service for reward distribution as it will affect all ambassadors that were supposed to receive rewards.

04Section · Recommendation

Recommendation

Rewrite the function to handle failed transfers separately so it does not revert the whole function:

solidity
bool success = stablecoin.transfer(ambassador, amountPerAmbassador);
if (success) {
    ambassadors[ambassador].totalEarned += amountPerAmbassador;
} else {
    emit TransferFailed(ambassador, amountPerAmbassador);
}

Use a pull based system instead of a push system.

05Section · Resolution

Resolution

Nexalo: Fixed.

Zealynx: Verified. Fixed.

Status
Fixed
ZEALYNX SECURITY · published 2025-12-22
F-2025-0010

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx