Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Immutable `STADIUM_ADDRESS` Puts Funds at Risk

33BYTEZZZ

Summary

The STADIUM_ADDRESS is hardcoded in the implementation contract.

Vulnerability Details

The STADIUM_ADDRESS is supposed to receive 5% of the rewards on every proxy deployment.

Suppose STADIUM_ADDRESS gets compromised, and the private key is exposed or hacked, enabling the hacker to run a bot to transfer all incoming funds to another address under their control. Unfortunately, there is no mechanism for the organizer or the proxy factory owner to alter STADIUM_ADDRESS address. As a result, all the reward fees is now sent to the hacker controlled address.

To address this vulnerability, one potential solution is to deploy a new implementation with an alternative STADIUM_ADDRESS or define a function called changeStadiumAddress wherein the STADIUM_ADDRESS can be changed.

However, it's important to note that contracts deployed with the old STADIUM_ADDRESS will remain susceptible.

##Impact

The funds designated for rewards fees could be diverted to unauthorised accounts.

Tools Used

Manual Review

Remediation Steps

Writing a function to update the STADIUM_ADDRESS which will help resolve this vulnerability. The caller of the function should be factory address or owner of the factory.

Example:

function changeStadiumAddress(address newStadiumAddress) external {
require(newStadiumAddress != address(0), "New address cannot be zero");
if (msg.sender != FACTORY_ADDRESS) {
revert Distributor__OnlyFactoryAddressIsAllowed();
}
STADIUM_ADDRESS = newStadiumAddress;
emit StadiumAddressChanged(newStadiumAddress);
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.