Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Funds can be lost to a non-deployed proxy & non-valid proxy for a contest

0xrex

Summary

Not validating the existence of a valid proxy in the distributeByOwner function can result in attempting to distribute and in fact, distributing to a non-deployed proxy or a proxy contract linked to another contest; thereby resulting in loss of funds for the contest

Vulnerability Details

This vulnerability can be seen in the distributeByOwner (L205-219) function at the ProxyFactory.sol contract which lacks checks for the proxy address being passed in the params to be validated as deployed and/or not belonging to another open contest on the platform

function distributeByOwner(

address proxy,

address organizer,

bytes32 contestId,

address implementation,

bytes calldata data

) public onlyOwner {

if (proxy == address(0)) revert ProxyFactory__ProxyAddressCannotBeZero();

bytes32 salt = _calculateSalt(organizer, contestId, implementation);

if (saltToCloseTime[salt] == 0) revert ProxyFactory__ContestIsNotRegistered();

// distribute only when it exists and expired

if (saltToCloseTime[salt] + EXPIRATION_TIME > block.timestamp) revert ProxyFactory__ContestIsNotExpired();

// @audit more check for proxy existence before calling _distribute

_distribute(proxy, data);

}

Impact

The caller of this function, including a bad actor can exploit this vulnerability to distribute rewards to a completely different contest or organizer in the case the owner has been compromised. A typical scenario would be setting up a challenge/competetition not intended to be fulfilled > getting sponsored > exploiting supporter's work > ultimately compromising owner and providing a proxy address to another contest (used specifically for dispersing funds to a bunch of random supporters non-existent) This will not only present the protocol in bad faith but ultimately lose sponsor's funds and supporters support.

Tools Used

Manual Review / VSCode

Recommendations

getProxyAddress before attempting to distribute
Employ a hardened check utilizing salt, owner, contest ID and implementation comparison
Verify proxy is infact existent/deployed before attempting to distribute

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.