Sparkn

Summary

The deployProxyAndDistribute function in the smart contract lacks proper access control, allowing unauthorized users with a valid contest ID to exploit the vulnerability. Without verifying the caller's identity as the contest organiser, attackers could potentially deploy proxy addresses and distribute rewards to themselves. Implementing robust access control measures is necessary to prevent unauthorized access and enhance the security of the smart contract.

Vulnerability Details

The deployProxyAndDistribute function within the smart contract lacks sufficient access control measures, which creates a critical vulnerability. This vulnerability arises from the absence of a verification mechanism to ensure that the caller is the legitimate contest organiser. As a result, an attacker possessing a valid contest ID could potentially exploit this flaw.

Impact

Unauthorized individuals armed with a legitimate contest ID can leverage this vulnerability to execute the deployProxyAndDistribute function and subsequently deploy proxy addresses. Moreover, they could distribute rewards to the addresses (themselves) they want with fake distribution data creation, undermining the intended fairness and security of the contest. This impact could have severe financial (loss of funds) and reputational consequences for the affected contest and its participants.

Tools Used

Manual Review

Exploit Scenario

1. The attacker acquires a valid contest ID, possibly viewed through Blockexplorer, because the contest ID is included in the input data sent with the setContest Transaction.

2. By leveraging the vulnerable deployProxyAndDistribute function, the attacker initiates the deployment of proxy addresses (with fake reward distribution data included that will probably contain the attacker's desired address instead of the actual winners' address).

3. Without proper access control, the attacker successfully triggers the distribution of rewards, transferring funds or winners' prizes to their designated address.

Recommendations

Promptly enhance the deployProxyAndDistribute function to incorporate access control measures that validate the caller's identity against the organizer's address associated with the contest ID.