The _distribute
function within the ProxyFactory
contract lacks proper protection against recursive invocation risk, which could potentially lead to unexpected behavior and fund loss.
The _distribute
function, responsible for distributing prizes through proxy contracts, is susceptible to recursive attacks due to the absence of a proper reentrancy guard. The function currently uses the call method to invoke the implementation contract's logic using the provided data argument. However, it does not prevent the function from being re-entered before it completes its execution, creating a window for malicious actors to manipulate the flow of execution and exploit the contract.
An attacker could exploit reentrancy to repeatedly call the _distribute
function and alter the state of the contract in unexpected ways. This could lead to incorrect distribution of prizes, unauthorized access to funds, and overall instability of the contract.
Manual
Use the "Checks-Effects-Interactions" pattern.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.