If the `implementation` is malicious, then the organizers can steal the money that the sponsors give to the competition
Summary
According to the document description, I think this implementation refers to Distributor, but in function setContest, the implementation can be specified arbitrarily ( just check implementation == address(0)). If the owner wrongly specifies the implementation when setting up the competition or the organizer provides a malicious implementation(Considering that Distributor may be upgraded in the future, there may be several addresses of Distributor. If it is only audited by the owner, then it is possible that the malicious implementation will not be identified.), and the malicious implementation has a function that allows the organizer to steal the funds inside, which will cause the organizer to steal the money from the sponsor
Vulnerability Details
https://github.com/Cyfrin/2023-08-sparkn/blob/main/src/ProxyFactory.sol#L109
Impact
If the implementation is malicious, then the organizers can steal the money that the sponsors give to the competition
Tools Used
manual
Recommendations
Set implementation to the address of Distributor. Considering that Distributor may be upgraded in the future, you can add an array whitelist. implementation can only be selected in the whitelist
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.