No check of code existence under `implementation` address
Summary
The contest may be set with a non-existing implementation contract.
Vulnerability Details
The contests are created with a call to setContest(...) function with provided implementation address. From this address, and salt, Sponsors can compute the Proxy contract address (already deployed or not yet) and transfer ERC20 tokens to that address. However, the implementation argument is not checked if it is a deployed contract during the registration of a contest. The caller may mistakenly provide an incorrect implementation address. This may result in Sponsors sending tokens to the Proxy contract address from which the tokens could not be retrieved. Moreover, the delegated calls from Proxy to the incorrect implementation address would silently fail without returning an error, making the issue even harder to detect.
Impact
Funds may be unrecoverably lost due to registering a contest with an incorrect implementation address and sending tokens to an invalid Proxy address.
Tools Used
Manual review
Recommendations
Consider checking, in the function setContest(...), if under the implementation address there is a deployed code. Additionally consider checking code size during a delegated call in a Proxy contract, as a best practice.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.