If `STADIUM_ADDRESS` gets blacklisted then contest funds are trapped indefinitely in the proxy contract
Summary
Some tokens such as USDC and USDT (two tokens that SPARKN intends to have whitelisted) implement a blacklist feature, which prevents addresses added to the blacklist from transferring or receiving any tokens. If tokens are attempted to be transferred to a blacklisted address, the call will revert. Since the distribute function always transfers the COMMISSION_FEE to the STADIUM_ADDRESS, if STADIUM_ADDRESS becomes blacklisted, all tokens residing in any active contest proxy contract will be permanently irretrievable.
Vulnerability Details
Distributor#distribute is the only means of extracting tokens from the contest contract. It ends with a call to the internal function _commissionTransfer, which transfers the remaining balance of the contract (the commission fee + perhaps some trivial dust amount) to the STADIUM_ADDRESS (this address is an immutable variable set in the constructor).
If STADIUM_ADDRESS is blacklisted on the token contract, this call will always revert, meaning distribute will always revert and therefore the tokens will be completely irretrievable. The fact that STADIUM_ADDRESS is immutable means that there is no way to avoid this.
Impact
Funds permanently trapped within the contract.
Tools Used
Manual review
Recommendations
Remove the immutable keyword from the STADIUM_ADDRESS variable, and implement a setter function only callable by the trusted admin (owner of ProxyFactory).
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.