Sparkn

Summary

In the contract creation function there is check if the passed implementation is address(0), but there isn't check if the implementation is a valid (not vulnerable) contract.
In the current architecture all implementations are dependant on the factory contract and especially the whitelistedTokens inside it, but we never check if the implementation address, with which we initialize the contest references the valid factory contract.

Vulnerability Details

This could lead to lost funds, if malicious implementation is being passed, or locked funds if wrong address is passed by mistake.

Impact

1. Imagine having the same factory contract, but initialized from Eve, but inside withlisted array, there are vulnerable and strange contracts.

2. Eve also creates an implementation, which looks just as the original one, except that the factory address is the one with the vulnerable whitelist.

3. Now if by any mistake the owner of the original factory pass implementation, which points to different factory contract, there won't be warning and the new contest will start.

4. Sponsors send funds to the new proxy and the period ends and it is time to distribute the prizes.

5. The prizes are locked forever, because of the check:

There could also be different scenarios, if there is other valid implementation, which won't revert, but distribute tokens to the hacker, or DoS in some other way.

Tools Used

Manual Review

Recommendations

Consider making an interface for all implementations, which should contain function getFactoryAddress() method and then use it in the factory on contest creation to validate if the passed implementation address points to the current factory.
This may also be prevented by vulnerable implementation, but then the code won't be identical to a valid implementation.
Checking the creator of the implementation if it a trusted owner could also prevent wrong implementations.