Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Lack of contract existence checks

zanybonzy

Summary

The delegatecall in the fallback function in the Proxy.sol contract lacks a contract existence check. A failure to check for this existence may mislead a user into thinking that a failed transaction was successful.

Vulnerability Details

A delegatecall to a destructed contract will return success. Due to the lack of contract existence checks, a series of botched transactions may appear to be successful even if one of the transactions fails. "The low-level functions call, delegatecall and staticcall return true as their first return value if the account called is non-existent, as part of the design of the
EVM. Account existence must be checked prior to calling if needed."

Impact

An attacker upgrades the proxy to point to an incorrect new implementation. As a result, each delegatecall returns success without changing the state or executing code. This can be used to scam users.

Tools Used

Manual code analysis, previous reports

Recommendations

Before delegate-calling into the target contract, check if it exists.

codeSize := extcodesize(_target)

}

require(codeSize > 0);```

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.