Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

ProxyFactory - Malicious attacker can frontrun and deploy a proxy contract, which makes it impossible to distribute funds through normal means

vangrim

Summary

The ProxyFactory contract contains coupled **deploy** and **distribute** functions. This flaw could enable a malicious actor to frontrun genuine transactions, thereby deploying a proxy contract and disrupting the fund distribution process for the organizer and signature-trustee.

Vulnerability Details

Within the functions associated with the deployment of proxy contracts (deployProxyAndDistribute, deployProxyAndDistributeBySignature, deployProxyAndDistributeByOwner), there exists an avenue for unauthorized creation. A potential attacker, having insights into the predictable salt generation by the _calculateSalt function, can frontrun a transaction to deploy a proxy contract before the intended party does so.

The frontrunning means that when the actual party calls the above functions, the whole transaction will revert since the malicious attacker has already created the proxy using the same parameters.

// proxy deployment logic

address proxy = _deployProxy(organizer, contestId, implementation);

_distribute(proxy, data);

Thus, the intended parties cannot distribute the funds until it is rescued by the owner through the distributeByOwner function.

Example

A contest has finished, and the organizer calls the **deployProxyAndDistribute** function with the correct parameters.
A malicious attacker sees the transaction to deploy the proxy and frontruns it by deploying it before the organizer.
The transaction by the organizer reverts since the proxy has already been deployed, which means that the funds cannot be distributed by the organizer anymore.

Impact

It will always be possible to stall the contest until the saltToCloseTime[salt] + EXPIRATION_TIME and centralize the responsibility to the owner, which might erode the trust in the SPARKN platform.

Severity: Low

The funds can always be rescued and distributed by the owner after expiration, which doesn’t put the funds at risk through this attack vector.

Likelihood: Medium/High

It is a relatively easy attack vector to pull off for a malicious attack vector - whenever the malicious attacker wants to stall a contest they are able to do so.

Tools Used

Manual review.

Recommendations

Consider decoupling the proxy creation and distribution functionalities into two different functions, so that they will be callable regardless of the responsible parties (organizer, signature-trustee, owner) so that always are callable regardless of the proxy being created.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.