Sparkn

Summary

the event Distributed(proxy, data); will be emitted although there are no reward have been distributed ,and the winners are considered been rewarded .

Vulnerability Details

This vulnerability arises due to insufficient checks for the existence of the specified proxy contract before proceeding with the distribution.
in the function distributeByOwner() the owner can distribute the reward of any proxy after the EXPIRATION_TIME has passed , but in this function there is no check for the deployment of the proxy , and in the function _distribute there is an external call to the proxy contract by the low level call with keyword call which will not revert if the contract had not been deployed before , which will lead to the emission of the event and consider this reward is distributed .

Impact

this vulnerability will lead to misleading to any system that will be integrated with the proxyFactory contract or any frontend of the project , and this will lead to loss of funds for the winners that are assumed to get rewarded .

PoC

1)imagine that the owner set a contest and get the salt .
2) the owner get the proxy address by calling the function getProxyAddress() which will returns the address even it has not been depolyed .
3) the owner call the function distributeByOwner() which will call the non-deployed proxy and will not revert .

this code will not revert
4)the event event Distributed(address indexed proxy, bytes data); is emitted , and the frontend or the monitoring system assume that this proxy get deployed and distributed .
5) the winners of that contest will be prevented from getting their rewards .

Tools Used

manual review and VScode .

Recommendations

add a check to make sure that the proxy has been deployed before the distribution of the reward .
the check can be mapping from the proxy to bool :

and update this mapping every time the proxy get deployed and add the check in the function _distribute