Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Supporters could potentially not get paid for their work

breeje

Summary

Misaligned incentives can lead to malicious Organizer Behavior.

Vulnerability Details

Fundamentally, SPARKN protocol is a project that aims to build a marketplace for anyone who wants to solve their problems or anyone who wants to help solve problems.

Smart contracts are not just about features implementation but also it is the responsibility of the protocol to align incentives such that the protocol always works in a certain expected way. In case anyone try to act malicious, they should be disincentive for doing that.

The implementation through ProxyFactory fails to consider a possible a malicious organizer attack vector. Because of this, there is high incentive for organizers to act in a malicious way.

function setContest(address organizer, bytes32 contestId, uint256 closeTime, address implementation)

public

onlyOwner

{

if (organizer == address(0) || implementation == address(0)) revert ProxyFactory__NoZeroAddress();

if (closeTime > block.timestamp + MAX_CONTEST_PERIOD || closeTime < block.timestamp) {

revert ProxyFactory__CloseTimeNotInRange();

}

bytes32 salt = _calculateSalt(organizer, contestId, implementation);

if (saltToCloseTime[salt] != 0) revert ProxyFactory__ContestIsAlreadyRegistered();

saltToCloseTime[salt] = closeTime;

emit SetContest(organizer, contestId, closeTime, implementation);

}

As you can see, there is no deposits upfront for the organizer. As Juliaaa also mentioned on discord that:

organizer can act maliciously if there is no limitation to it. We are planning to e.g. force people to login with SNS or KYC and reputation system for that.

Currently, it is hard to address the issue of sybil attack because there no good identity layer yet in my opinion.

However, if you have some better solution, you will be welcomed to report to us.

The better approach here is to transfer all the contest funds or some percentage of contest funds to ProxyFactory in the setContest function itself.

This way the organizer won't have any real incentive to behave maliciously and doing this makes sure that the protocol will not require third party identity verification or any reputation system.

Also, add a mediation role which can can be called by:

Organizer in case nobody has done work worth of deposit and they want a refund.
Supporter in case they do not receive the amount for their work. Catch here is Supporter will be required to pay mediation fees in order to call mediation which will disincentivize anyone to randomly call mediation.

Impact

Possible scenario where organizer are incentivized to behave maliciously and can get their work done for free.

Tools Used

VS Code

Recommendations

Consider a way to include some amount of deposit from the organizer at the time of launching/approving a contest by owner using setContest function. This will disincentive organizers from considering any malicious activities.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.