ProxyFactory#distributeByOwner is supposed to rescue tokens that were accidentally sent to a proxy. However, the current implementation would only work if the prize token and the mistakenly sent token are different (e.g. USDT and JPYC respectively), but wouldn't work if they are the same.
Consider the following:
A 14-day contest has started. Sponsors start sending their JPYC rewards to the contest's proxy.
One week later, Alice sends 100 JPYC to the proxy by mistake. Alice realizes her mistake and contacts the owner for rescue.
After one more week, the contest ends.
Organizer distributes the JPYC rewards to the winners via
ProxyFactory#deployProxyAndDistributeByOwner
-> Proxy#fallback
-> Distributor#distribute
, which sends 95% of proxy's JPYC tokens to the winners and 5% to stadiumAddress.
One week after the end of the contest, EXPIRATION_TIME ends and the owner is finally able to rescue Alice's tokens - but there's no tokens to rescue anymore.
Change ProxyFactoryTest.t.sol#testSucceedsIfAllConditionsMet:
The protocol fails to deliver its rescue feature: a token accidentally sent to the proxy can not be saved unless it is different from the prize token.
Manual review
Consider reimplementing the rescue mechanism, so that the funds can be recovered from the proxy before they are distributed by organizer.
Or make sure that the organizer's front-end will include rescue requesters in the distribution.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.