Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Organizers can arbitrarily distribute rewards

0xDetermination

Summary

Because contest organizers can freely choose reward recipients, they can distribute all rewards to themselves.

Vulnerability Details

PoC:

Malicious organizer arranges contest off-chain.
Owner calls setContest() in ProxyFactory contract.
Organizer and/or sponsors send tokens to the predetermined proxy address.
Supporters work on the contest and submit their work to the organizer for judging
Contest ends and organizer calls deployProxyAndDistribute() in the ProxyFactory contract, setting their own address as the only reward receiver
Organizer receives all of the rewards deposited by themselves and/or sponsors, minus the protocol fee. Additionally, the organizer now possesses all the work done by supporters.

Impact

Supporters receive zero awards for their work, and the organizer receives all contest funds minus the protocol fee. Protocol funds are directly at risk.

Tools Used

Manual Review

Recommendations

Do not allow the contest organizers to distribute awards. Instead, delegate reward distribution solely to the protocol owner. This would eliminate a large amount of attack surface related to malicious organizers.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!