Sparkn

Summary

The contest details state that 'If a contest is created and funded, there is no way to refund. All the funds belong to the persons who wants to help solve the problem, we call them "supporters".' (see More Context section). This is untrue, as the organizer is able to refund all of the contest funds.

Vulnerability Details

In Distributor#_distribute, there is no input validation on the winners array. A malicious or compromised organizer can, with little effort, simply pass an array of length one containing a wallet address that they control as the winners parameter, and [10000] as the percentages parameter in order to receive 100% of the funds initially deposited to the contract. Due to the design of the protocol, they would have 7 days after the contest ends (the value of the EXPIRATION_TIME constant in the ProxyFactory contract) to perform this action without the owner being able to prevent it.

Impact

Malicious/Compromised organizer can refund 100% of the contest funds, stealing work from sponsors.

Tools Used

Manual review

Recommendations

Use a two step procedure for distributing funds:

1. The organizer submits an array of winners and percentages to the Proxy contract and they are cached using storage variables

2. The owner of ProxyFactor (a trusted admin) checks the arrays to ensure the organizer is not distributing all of the money to themselves, and if satisfied, triggers the distribution of funds

This removes the risk of having to trust the organizer, and although it requires the trust of the admin, they were already a required trusted party and so the mitigation is beneficial overall. Also, this new system adds more truth to the statement from the contest details mentioned in the summary section of this report.