Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

`Organizer` can rug pull supporters at the cost of `COMMISSION_FEE`

savi0ur

Summary

There is no check on the data passed while distributing tokens to winners, organizer can pass their own address as winners and rug pull actual winners by paying just a COMMISSION_FEE which is set to 5%.

Vulnerability Details

https://github.com/Cyfrin/2023-08-sparkn/blob/47c22b818818af4ea7388118dd83fa308ad67b83/src/ProxyFactory.sol#L127-L138

function deployProxyAndDistribute(bytes32 contestId, address implementation, bytes calldata data)

public

returns (address)

{

bytes32 salt = _calculateSalt(msg.sender, contestId, implementation);

if (saltToCloseTime[salt] == 0) revert ProxyFactory__ContestIsNotRegistered();

// can set close time to current time and end it immediately if organizer wish

if (saltToCloseTime[salt] > block.timestamp) revert ProxyFactory__ContestIsNotClosed();

address proxy = _deployProxy(msg.sender, contestId, implementation);

_distribute(proxy, data);

return proxy;

}

https://github.com/Cyfrin/2023-08-sparkn/blob/47c22b818818af4ea7388118dd83fa308ad67b83/src/ProxyFactory.sol#L249-L253

function _distribute(address proxy, bytes calldata data) internal {

(bool success,) = proxy.call(data);

if (!success) revert ProxyFactory__DelegateCallFailed();

emit Distributed(proxy, data);

}

When contest's closeTime is over i.e., saltToCloseTime[salt] <= block.timestamp, organizer can call deployProxyAndDistribute function with the data defined as below:

abi.encodeWithSignature(

Distributor.distribute.selector,

TOKEN_ADDRESS,

[ORGANIZER_CONTROLLED_ADDRESS],

[10000 - COMMISSION_FEE],

)

Here, organizer is passing encoded data of Distributor.distribute function.

As winners = [ORGANIZER_CONTROLLED_ADDRESS] and percentages = [10000 - COMMISSION_FEE], ORGANIZER_CONTROLLED_ADDRESS will receive 95% of all the tokens that was sent before deployment as COMMISSION_FEE is set to 5%. So organizer is only paying COMMISSION_FEE for conducting a contest, which is very cheap for organizer but supporters(winners) are losing their share.

Impact

Organizer can rug pull supporters(winners) just at a cost of commission fee.

Tools Used

Manual

Recommendations

We recommend to have some trusted parties may be only owner to distribute tokens that was sent before deployments to winners list shared by organizer.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.