Splitter.payWhitehat

[barakman]

A few issues (though possibly all minor) around the following part in the aforementioned function:

for (uint256 i = 0; i < payout.length; i++) {
    uint256 feeAmount = (payout[i].amount * fee) / FEE_BASIS;
    if (feeAmount > 0) IERC20(payout[i].token).safeTransferFrom(msg.sender, feeRecipient, feeAmount);
    IERC20(payout[i].token).safeTransferFrom(msg.sender, wh, payout[i].amount);
}

The most critical issue is perhaps the transfer of payout[i].amount.
Shouldn't you be transferring only payout[i].amount - feeAmount?

Other issues are technically minor:

1. You might want to consider replacing safeTransferFrom(msg.sender, ...) with safeTransfer(...), since the latter is cheaper and cleaner (and doesn't require a preliminary approval).
2. You might want to consider checking payout[i].amount > 0 at the beginning of every iteration, in order to skip any redundant transfers (of zero). Presumably, passing zero amounts goes against the caller's incentive. But "causing damage with no practical gain" may nevertheless be an incentive. The damage in this case seems by itself minor - a redundant PayWhitehat event emitted in your contract. But perhaps some offchain entity relies on these events for some metrics or statistics.