If the ProxyFactory
owner is compromised OR the owner wants to act maliciously, they can steal assets from expired(7 days from contest close time) contests however they'd like.
There is no onchain verification of organizer's consent on how the distribution should be in deployProxyAndDistributeByOwner
and distributeByOwner
calls. If the organizer fails/misses to distribute the contest assets within 7 days a malicious admin can distribute it however they'd like. Or if the admin account is compromised, the attacker can steal assets from all expired but not distributed contests or steal mis-sent assets.
Add a signature param and verify signature from the organizer before executing the distribution transaction to verify the organizer's intent/consent.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.