Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

No verifiable way for the owner to get the data for distributing the winnings

shikhar229169

Summary

When the organizer don't call the deployProxyAndDistribute function in the time range then owner of the ProxyFactory contract is eligible to do this but they can be malicious at this point and can send the winnings to their own addresses.
Also, as the data is not on-chain, so there is a big question mark from where the owner will get the data from.

Vulnerability Details

The owner can feed any data to distribute the winnings and also if the owner is genuine then how the owner will get the data from and is the data provided by the Organizer correct all the time.

Impact

Negative impact on the protocol as there is no trusted or verifiable way to get the data.

Tools Used

Manual Testing

Recommendation

The organizer should sign the message which contains winner address, contest id and that must be verified in the distribute contract, so in case if the signature don't match with the organizer's address then we need to revert.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!