Sparkn

Summary

While there are various checks to ensure that the contest being controlled or called is a valid one, as well ensuring that the timing of the call is being made at the appropriate time, there was never a check to ensure that the caller is calling the right contest.

Vulnerability Details

The contract deployProxyAndDistribute and deployProxyAndDistributeBySignature functions do not explicitly validate that the caller is the actual organizer of the contest. This poses a risk as any valid organiser address could potentially perform these operations for any contest.

Impact

Should a melicious organiser gain access to the wrong contest, while there isn't any internal means for selection of winners implemented,he or she could potentially divert these funds to undeserved winners in the contest or meliciously created addresses.

Tools Used

Manual analysis

Recommendations

Implement an additional validation step to ensure that the caller of the deployProxyAndDistribute and deployProxyAndDistributeBySignature functions is the actual organizer of the contest. This validation can be achieved by maintaining a mapping that links contest IDs to their respective organizers.
Access Control: Implement access control mechanisms that validate the caller's ownership of contests before allowing critical operations such as proxy deployment and prize distribution.