Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Possibility of arbitrary execution by low-level call

0xhaku

Summary

Possibility of arbitrary execution by low-level call.

Vulnerability Details

The _deployProxyAndDistribute function and others call the _distribute function.
The _distribute function makes a low-level call to the function specified by implemention with the data argument.
The salts required for execution are registered by the onlyOwner setContest function, which is assumed to be basically safe, but if it is slipped through, arbitrary functions can be executed.

Impact

Calling any function of any contract with ProxyFactory as msg.sender.

Tools Used

Manual Review

Recommendations

Whitelisting of implemention addresses.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.