Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Owner and organizer can be winners

schnilch

Summary

When the owner or organizer calls distribute to allocate the money to the winners, they can simply list themselves as winners. This would result in the rightful winners receiving less money.

Vulnerability Details

When a contest is over, the organizers (or after the expiration time, the owner) are responsible for ensuring that the winners receive their money. However, they can also simply designate themselves as winners and receive the money. In this way, the actual winners receive less or no money.

Impact

The true winners receive less or no money and the organizer or the owner receive the money.

Tools Used

Manual Review

Recommendations

Even though organizers and owners are trusted, it would make sense to implement a check since a little less trust is required in this case. In Distributor.sol, in the _distribute function, the address should be checked before sending the tokens to the winners.

Distributor.sol

146: if(winners[i] == owner || winners[i] == organizer) revert Distributor__AddressNotAllowed();

147: erc20.safeTransfer(winners[i], amount);

Owner and organizer would need to be passed as parameters to the function.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!