Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

The owner can distribute rewards to a non-deployed proxy, which will emit a misleading event.

0x4ka5h

Summary

Vulnerability Details

(not deployed address).call will always return true.

function distributeByOwner(
...
) public onlyOwner {
if (proxy == address(0)) revert ProxyFactoryProxyAddressCannotBeZero();
bytes32 salt = _calculateSalt(organizer, contestId, implementation);
if (saltToCloseTime[salt] == 0) revert ProxyFactoryContestIsNotRegistered();
// distribute only when it exists and expired
if (saltToCloseTime[salt] + EXPIRATION_TIME > block.timestamp) revert ProxyFactory__ContestIsNotExpired();
_distribute(proxy, data);
}
function _distribute(address proxy, bytes calldata data) internal {
(bool success,) = proxy.call(data);
if (!success) revert ProxyFactory__DelegateCallFailed();
emit Distributed(proxy, data);
}

This vulnerability arises due to insufficient checks for the existence of the specified proxy contract before proceeding with the distribution.

Impact

Misleading emition of event: The project will be integrated with the front end for any monitoring mechanism that will be mislead with this event and this means that the winners claimed their rewards.
If the contract owner is able to distribute rewards to a proxy contract that hasn't been deployed, the intended recipients will not receive their rewards. This can lead to financial losses for participants who were supposed to receive rewards for their participation.

Recommendations: To mitigate this vulnerability, it is recommended to add a check to verify if the specified proxy contract has been deployed before proceeding with the distribution. This can be achieved by checking the contract's bytecode presence at the specified address.

Tools Used

Recommendations

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.