Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

In `DistributeByOwner` the owner can input a proxy for another contest than the actual one

Niki

Summary

In DistributeByOwner the owner can input a proxy for another contest than the actual one

Vulnerability Details

The Owner is inputting the address of the proxy that held the money, the owner of the contest, contestId and the address of Distributor.sol .The owner can input a wrong proxy because there is not check for that.
E.g.
Alice(the owner of protocol A) - forget about her protocol and The owner(of the ProxyFactory) can use now DistributeByOwner for her protocol
Bob(the owner of protocol B) - is still in progress

Now the the owner can use the function for protocols A and B
He use the DistributeByOwner, but actually sets the proxy address of protocol B, and the other inputs are organizer- Alice(protocol A), contestId - protocol A, implementation - Distributor.sol .
This way the checks will pass, and the proxy of protocol B will distribute the prizes, before the protocol finish

Impact

Loss of funds, unexpected finish

Tools Used

Manual review

Recommendations

Check, does proxy you are using, is the actual proxy of the protocol.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!