Summary

The contest may be set with a non-existing implementation contract.

Vulnerability Details

The contests are created with a call to setContest(...) function with provided implementation address. From this address, and salt, Sponsors can compute the Proxy contract address (already deployed or not yet) and transfer ERC20 tokens to that address. However, the implementation argument is not checked if it is a deployed contract during the registration of a contest. The caller may mistakenly provide an incorrect implementation address. This may result in Sponsors sending tokens to the Proxy contract address from which the tokens could not be retrieved. Moreover, the delegated calls from Proxy to the incorrect implementation address would silently fail without returning an error, making the issue even harder to detect.

Impact

Funds may be unrecoverably lost due to registering a contest with an incorrect implementation address and sending tokens to an invalid Proxy address.

Tools Used

Manual review

Recommendations

Consider checking, in the function setContest(...), if under the implementation address there is a deployed code. Additionally consider checking code size during a delegated call in a Proxy contract, as a best practice.