Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: high

Organizer can deploy Proxy pointing to custom implementation

t0x1c

Summary

Organizer can deploy Proxy pointing to custom implementation.


NOTE: It is understood & acknowledged that the SPARKN team plans to implement off-chain KYC, reputation rating system etc for the organizers to avoid malicious behaviour. While that is a good step, multiple steps can be taken to avoid organizers' malicious behaviour on-chain.
These steps are detailed in the last section under Recommendations.

Vulnerability Details

Once the owner starts a contest via setContest(), there is nothing to stop a malicious organizer deploying a proxy pointing to his custom implementation instead of Distributor.sol. This FakeDistributor (custom implementation contract) can be used to steal funds or behave not as intended by the protocol.

Please note that it is not clear how the unique contestId generated off-chain (and hence the contest started via setContest() by the owner) links to the proxy contract being deployed by the organizer and if there is any constraint applied on the organizer to prevent such behaviour.

The following PoC can be run via forge test --mt test_OrganizerCanDeployProxyPointingToCustomImplementation -vv:

function test_OrganizerCanDeployProxyPointingToCustomImplementation() public {
// setup
bytes32 randomId = keccak256(abi.encode("Jason", "001"));
vm.prank(factoryAdmin);
proxyFactory.setContest(organizer, randomId, block.timestamp + 8 days, address(distributor));
bytes32 salt = keccak256(abi.encode(organizer, randomId, address(distributor)));
// deploy proxy pointing to custom implementation
vm.prank(organizer);
Proxy fakeProxy = new Proxy{salt: salt}(makeAddr("FakeDistributor"));
// sponsor funds the contest
vm.prank(sponsor);
MockERC20(jpycv2Address).transfer(address(fakeProxy), 10000 ether);
// Implementation contract deployed at "FakeDistributor" address can steal the funds or
// behave as it wants.
}

Impact

  • Custom behaviour/loss of sponsor's funds due to malicious contract deployment by the organizer.

  • Bypasses protocol's intended behaviour.

Tools Used

Manual review, forge test.

Recommendations

While the SPARKN team will have more visibility of the on-ground business case challenges, the following flow seems strong enough to deter a malicious organizer. This is inspired in part by SPARKN's approach towards distributeByOwner() functionality, where they charge 5% fee to deter any casual requests. Imposing a financial cost to an attack works well :

  • Making them pay upfront (a registration fee of sorts), before the contest starts.

  • Control for proxy deployment stays with the owner.

  • Contest is only 'registered' via setContest(), NOT started.

  • Contest is started only after proxy deployment by owner which is after organizer/sponsor transfers total funds to the proxy address.

  • Distribution of rewards needs owner's approval.


    Below is a recommendation of one such workflow -

Step1

sequenceDiagram
Organizer->> Owner: Send a small 'registration' fee to owner for him to setContest().<br/>Also send info about total reward amount.
Note right of Owner: Owner registers contest with unique contestId.<br/>Also deploys the proxy contract with info about <br/>total rewards to be allocated in future.<br/>(Contest is NOT started. Only "registered".)

Step2

sequenceDiagram
Organizer->> ProxyContract: Send funds (total reward money for the contest)
Note left of Organizer: Organizer has 1 to 2 days (can be predefined by the Owner) <Br/>to send total funds to the Proxy contract.<br/>Once complete funds (as per information provided in step 1) are received, <br/>contest starts automatically.

Step3 (Contest Closes/Expires)

sequenceDiagram
Organizer/Owner->> ProxyContract: Request/Instruct to distribute rewards
ProxyContract->> Winners: Rewards distributed
Note left of Organizer/Owner: OPTIONAL: Organizer can distribute funds only after<br/>approval from Owner.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.