Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Organizer can get prize for himself by setting him as a winner

SBSecurity

Summary

Contest Organizer can deploy Proxy and distribute winners' rewards by manually setting the winners and their winning percentage.

Vulnerability Details

Consider this example:

Trusted ProxyFactory owner, set a contest, and in the setContest() function, pass an organizer and other related parameters.

After the contest reaches its close time, the organizer calls deployProxyAndDistribute() and passes the winners and their percentage of the prize. But there are no restrictions on who can be the winner, so the organizer can pass himself (or his friends who participated in solving the problem) and get the prize.

Impact

Critical for the people who participated and are waiting for their rewards, because they will do the work, but the organizer can get the money for himself without any effort.

Tools Used

Manual

Recommendations

Keep the people involved in solving the problem and limit the organizer, sponsor, or owner of ProxyFactory.sol from being passed as a winner. Then when passing winners, each of them must exist in the participant mapping for example.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.