Sparkn

Summary

Organizers can manipulate the winner array in the deployProxyAndDistribute or deployProxyAndDistributeBySignature. This vulnerability allows organizers to unjustly insert themselves into the list of winners, enabling them to misappropriate and siphon off the winnings intended for legitimate winners.

Vulnerability Details

• The deployProxyAndDistribute and deployProxyAndDistributeBySignature do not have stringent checks in place to prevent the addition or modification of entries within the winner array by organizers.

• Given their elevated access, organizers can exploit this oversight to include their addresses in the winner array, thereby ensuring they receive a portion, or even the entirety, of the winnings.

Impact

Financial Loss for Legitimate Winners: As organizers can position themselves to receive winnings, legitimate winners stand at risk of either not receiving their rightful share or potentially receiving nothing at all.

Erosion of Platform Integrity: Such acts of misappropriation can significantly erode the trust users place in the platform. Over time, the perceived lack of fairness can lead to a decrease in participation and engagement.

Severity: High

• The severity is high since a malicious organizer can run away with all the rewards.

Likelihood/Ease: High

• The likelihood or ease of the attack vector is also high since there currently are no security measures to mitigate such siphoning of funds.

Recommendations

The protocol needs to rethink its approach of allowing the organizer to be able to deploy the proxy and distribute funds single-handedly. Some mitigation points that might be of interest:

1. Introduce a functionality that correlates with the contest's winner array and the “winning method.” For example, an ECDSA recover that contains the message hash from the contest win and the winner’s signature.

2. KYC of the winners correlated with the winner array.