Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

In case the contract uses multiple tokens as reward for the contest, then it won't be able to distribute all rewards directly.

breeje

Summary

In case the contract uses multiple tokens as reward, organizers will not be able to distribute it themselves.

Vulnerability Details

As Sparkn aims to build a marketplace for anyone who wants to solve their problems or anyone who wants to help solve problems. There will be instances where the organizer will be looking to provide rewards through different tokens with some ratios.

For Example, a protocol X can host a contest to solve their problems and given budget constraints they might like to reward helpers with 50% of Stable Coin like USDC + 50% of their own governance token. In such a scenario:

Organizer will transfer the funds to proxy contract.
Organizer will call deployProxyAndDistribute to deploy the contract and distribute funds.

function deployProxyAndDistribute(bytes32 contestId, address implementation, bytes calldata data)

public

returns (address)

{

bytes32 salt = _calculateSalt(msg.sender, contestId, implementation);

if (saltToCloseTime[salt] == 0) revert ProxyFactory__ContestIsNotRegistered();

// can set close time to current time and end it immediately if organizer wish

if (saltToCloseTime[salt] > block.timestamp) revert ProxyFactory__ContestIsNotClosed();

address proxy = _deployProxy(msg.sender, contestId, implementation);

_distribute(proxy, data);

return proxy;

}

Given, distribute function in Distributor contract only takes 1 token address, Organizer will only be allowed to distribute single token. For rest of the token, organizer will be dependent on owner to distribute it on their behalf through: distributeByOwner.

function distribute(address token, address[] memory winners, uint256[] memory percentages, bytes memory data)

external

{

if (msg.sender != FACTORY_ADDRESS) {

revert Distributor__OnlyFactoryAddressIsAllowed();

}

_distribute(token, winners, percentages, data);

}

Impact

Organizer will fail to distribute all the rewards

Tools Used

VS Code

Recommendations

Many possible solutions for this like sending an Array of winners data structure which includes token and amount. But easiest one is to add a function to allow organizer of a particular contest with the required validation to call _distribute so that they can rescue their own funds till the time they are within the contest period time.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.