Sparkn

Summary

Deviating from the protocol's "Happy Path" might lead to unexpected/unintended behaviour in terms of what is specified in the documentation and sponsors' expectations.

Vulnerability Details

As per the documentation:

"If a contest is created and funded, there is no way to refund. All the funds belong to the persons who wants to help solve the problem, we call them "supporters". And there is a certain assets-locking period of time in which no one except the organizer can call and distribute the funds to the winners."

"All the funds belong to the persons who want to help solve the problem.."

If the "Happy Path" of the protocol is the assumption that every contest x has solution y, and refunding to the sponsors is strictly prohibited, what happens if there is NO solution to a contest?

Since the project's idea is: "SPARKN protocol is a Web3 project that aspires to create a marketplace for anyone looking to find solutions to their problems.."

In my opinion, it is not ludicrous to think that there could be a contest with a highly-complex problem that is simply not solved until the end of the contest's timeline. In that scenario, where there are no solutions proposed, or solutions that are incorrect, where do the sponsor funds go when they are supposed to go to the ones that came up with a solution?

There exists a function for the owner to distribute the funds, if the organizer hasn't done so, and the contest time has expired: distributeByOwner() in ProxyFactory.sol.
But that function also delegate calls to the _distribute() function inside Distributor.sol, which takes a 5% COMMISSION_FEE.

In an "emergency" scenario where there are no solutions, or incorrect solutions to a contest, even though Refunding is Prohibited - I assume that the owner will use distributeByOwner() to refund the sponsors (otherwise to whom will they be sent?), in which case they still take a fee of 5% for just trying to incentivize a solution to a problem.

This seems like unexpected behaviour that deviates from the idea that for every contest x there is solution y. It could prove misleading/unfair to take a fee from sponsors when there is no solution. This is obviously more impactful the bigger the sponsor pool is for a contest.

No PoC needed for this, I believe.

Impact

Sponsors don't get a full refund in case of "emergency" unexpected behaviour where there is no solution to a contest.

Tools Used

VSCode, Manual Review

Recommendations

1. Implement function _emergencyDistributeToSponsors() that is the same as _distribute() excluding the COMISSION_FEE.

or

2. Warning to sponsors that in the case of no solution they will still incur a 5% fee.