Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: low

ProxyFactory Contract Audit

tychaios

Audit Report: ProxyFactory Smart Contract

Summary

This audit report evaluates the solidity smart contract "ProxyFactory.sol" for potential vulnerabilities. The contract was manually reviewed using standard security practices and analysis tools and no issue was found other than the lower severity one described here.

Vulnerability Details

In ProxyFactory.sol at line 131:

Vulnerability ID: L-02

Description: In the deployProxyAndDistribute function, the salt used to identify a given contest is calculated from the implementation's address, contest id, and organizer's address. However, there are no records of who organized a contest other than the salt itself. This design could potentially allow an attacker to create a malicious contest by using their own address, a publicly known implementation's address, and crafting a contestId to produce the same salt as a valid contest. This could lead to stealing funds from a legitimate contest.

Snippet:

function deployProxyAndDistribute(bytes32 contestId, address implementation, bytes calldata data)
public
returns (address)
{
bytes32 salt = _calculateSalt(msg.sender, contestId, implementation);
if (saltToCloseTime[salt] == 0) revert ProxyFactory__ContestIsNotRegistered();
// can set close time to current time and end it immediately if organizer wish
if (saltToCloseTime[salt] > block.timestamp) revert ProxyFactory__ContestIsNotClosed();
address proxy = _deployProxy(msg.sender, contestId, implementation);
_distribute(proxy, data);
return proxy;
}

Impact

This vulnerability could potentially allow an attacker to exploit the salt generation process and create a malicious contest to steal funds from legitimate contests. While the likelihood of such an attack might be low due to the need for a brute force approach, it's essential to address this issue to prevent any possible exploits.

Tools Used

  • Manual Review

Recommendations

It is recommended to enhance the security of the contract by introducing a mechanism to verify the identity of the contest organizer. One possible approach is to include a mapping that associates each contestId with the address of its original organizer. This way, the deployProxyAndDistribute function can validate that the msg.sender is the legitimate organizer before proceeding.

mapping(bytes32 => address) contestIdToOrganizer;
// ...
function setContest(address organizer, bytes32 contestId, uint256 closeTime, address implementation)
public
onlyOwner
{
if (organizer == address(0) || implementation == address(0)) revert ProxyFactory__NoZeroAddress();
if (closeTime > block.timestamp + MAX_CONTEST_PERIOD || closeTime < block.timestamp) {
revert ProxyFactory__CloseTimeNotInRange();
}
bytes32 salt = _calculateSalt(organizer, contestId, implementation);
if (saltToCloseTime[salt] != 0) revert ProxyFactory__ContestIsAlreadyRegistered(); // Protects against clashes
saltToCloseTime[salt] = closeTime;
contestIdToOrganizer[contestId] = organizer;
emit SetContest(organizer, contestId, closeTime, implementation);
}
// ...
function deployProxyAndDistribute(bytes32 contestId, address implementation, bytes calldata data)
public
returns (address)
{
require(msg.sender == contestIdToOrganizer[contestId], "Unauthorized");
bytes32 salt = _calculateSalt(msg.sender, contestId, implementation);
if (saltToCloseTime[salt] == 0) revert ProxyFactory__ContestIsNotRegistered();
if (saltToCloseTime[salt] > block.timestamp) revert ProxyFactory__ContestIsNotClosed();
address proxy = _deployProxy(msg.sender, contestId, implementation);
_distribute(proxy, data);
return proxy;
}

By introducing this additional validation step, the contract can ensure that only the original contest organizer can deploy proxies and distribute funds for their contests.

Conclusion

The audit has identified a vulnerability in the ProxyFactory.sol contract that could potentially allow unauthorized access to contest funds. The recommended solution involves implementing a verification mechanism to confirm the contest organizer's identity before allowing proxy deployment and fund distribution. This enhancement will bolster the contract's security and mitigate the identified risk.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!