Sparkn

Summary

[Just figured out that I got it wrong, didn't wanna remove the text because I invested a lot of time in reporting it and I like the way it came out even though it's wrong lol]

As was mentioned in the Discord channel by the project creator: "If the sponsor/organizer fails to take action after the contest expiration, the owner has the authority to distribute the funds"

Right now, the owner can distribute the funds of any contest whenever they want after the contest ends, regardless of whether the sponsor/organizer did their part.

This means the owner could manipulate all the contests in the Sparkn system and send the tokens to any account they want. It's important to note that even if people trust the owner, they become a big target to a cyber attack.

If someone hacks into the owner's systems and gets access to their private key, they could steal all the money form all the contests created in the platform.

Vulnerability Details

According to the project's documentation and the creator's statement, the owner should only distribute contest rewards if the organizer/sponsor fails to do so.

In the current smart contract, the owner has the ability to distribute rewards once the contest is over, within the same time frame as the organizer.

The owner can even frontrun the organizer transaction and distribute rewards earlier, making the organizer distribution transaction fail.

Despite the owner's trustworthiness, there's a way to restrain their authority without affecting the protocol's functionality. I'll explain this approach further in the recommendations section.

Impact

If the owner's private key is compromised, it would allow a hacker to easily steal all the tokens across all contests within the Sparkn system.

Tools Used

Manual Review

Recommendations

To ensure that the admin can only distribute rewards if the organizer/sponsor has failed to do so, in line with the project owner's instructions, a timelock mechanism should be implemented for the owner distribution functionality.

This can be achieved by predefining a delay duration in the ProxyFactory.sol contract:

Then modify the timestamp checks within the owner distribution functions. Allow the owner to distribute funds only after the timelock period has elapsed, including the additional delay specified, in both deployProxyAndDistributeByOwner and distributeByOwner:

Change the following line of code:

To:

This approach introduces a time gap during which organizers can withdraw the funds before the owner gains access. It serves as a safeguard in the event of the owner's private key being compromised, protecting the contest funds.

By incorporating this timelock and delay mechanism, the project ensures greater security and accountability in distributing contest rewards.