Contest owner may claim prizes to his/her own when distrubuting.
Summary
A contest owner can call deployProxyAndDistribute when the contest has ended and eligible for prize distribution. The owner can do delegatecall distribute to proxy with winners to be only the owner him/herself. This way, the owner can take the prize to him/herself but winners will not get the prize.
Vulnerability Details
In ProxyFactory.sol, the deployProxyAndDistribute function lets the contest owner to deploy a proxy contract, and distribute prizes to the winners. When the calldata supplied by the contest owner is distribute, it will proceed and distributes the prizes to the winners. However, the function caller, which is the contest owner has full control of the winners address. The owner can simply set him/herself to the winner, and provide the correspond values for the rest of parameters, the distribute function will send tokens to the winner addresses, in this case, it will be the owner, while the supposed winners will not the any prize.
Impact
Winners will not get their deserved prizes.
Tools Used
Manual review.
Recommendations
The contest creator should not be eligible to claim prizes, and there should be some storages to store the selected winners so that all winners get their deserved prizes.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.