Input validation: User error risk when organizer calls getProxyAddress() with incorrect value for salt parameter, will get incorrect proxy address
Summary
Low risk because the protocol team probably already has measures in place to ensure that the proxy address the organizer gets is the correct one. However, assumptions could be dangerous, so I decided to submit this as a low, to balance out my two mediums and high.
If the organizer manages to input the wrong value for the salt parameter, then the proxy address will be wrong too, and when organizer transfers the contest tokens to this wrong proxy address, it will probably be lost/stuck forever.
Vulnerability Details
How will the contest organizer receive the salt value? Will the proxy factory owner(contest owner?) send it to the organizer? Where is a check to ensure it is the same salt value as the value generated by calling the setContest() function?
Impact
Permanently stuck tokens.
Tools Used
VSC. Manual.
Recommendations
Implement a simple check to compare the salt value generated by setContest() with the salt parameter value of the getProxyAddress() function. If they are equal, great. Otherwise, revert.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.