Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Organizer can refuse to pay and refund himself

abarbatei

Organizer can refuse to pay and refund himself

Summary

Project documentation states that:

If a contest is created and funded, there is no way to refund. All the funds belong to the persons who wants to help solve the problem, we call them "supporters". And there is a certain assets-locking period of time in which no one except the organizer can call and distribute the funds to the winners.

This statement is incorrect, because, at the end of the assets-locking period, the organizer can simply send himself all the tokens in the contract. There is nothing stopping him in doing so; this can easily be abused.

Vulnerability Details

When distributing rewards to users, all functions that offer this functionality are called with the calldata that contains the list of winners.
Example ProxyFactory::deployProxyAndDistribute

// in ProxyFactory --------------------------

function deployProxyAndDistribute(bytes32 contestId, address implementation, bytes calldata data)

public

returns (address)

{

// code ...

_distribute(proxy, data);

// code ...

}

function _distribute(address proxy, bytes calldata data) internal {

(bool success,) = proxy.call(data); // calls Distributor::distribute

// code ...

}

// in Distributor --------------------------

function distribute(address token, address[] memory winners, uint256[] memory percentages, bytes memory data)

external

{

// code ...

}

Abuse scenario:

organizer creates a contest with a valid token pool
contests is started
supporters work on the task at hand and submit their results to the organizer
organizer, after the contests has ended, calls deployProxyAndDistribute with a calldata that sends himself all the deposited funds (except protocol fee)

Impact

A malicious organizer can receive work/support without paying supporters.

Tools Used

Manual review

Recommendations

Protocol needs to add a form of validation on the winners array. This, however is difficult to implement in the system as it is due to the fundamental design.
One possible solution is:

have all supporters signup in the platform with wallets
generate a merkel tree on the wallets
when setting/starting the contest, also save the merkle root and a signing address for a signing schema
modify distribution contract to:
- also require a signature, that is generated by the backend; Backend will generated it only if list of winners is validated off-chain by the merkle root
- use pull, not push (make winners claim)
- set the percentage for the winner addresses when distributing but not transfer the funds
winners can claim their rewards from the Sparken UI that provides them the Merkle proof

The suggested solution is still a hybrid between web2 and web3 but, it does guarantee that winners will be picked out of those that signed up.

This still leaves the possible sybil attack that the sign up wallets themselves are owned by the organizer but this is out of scope.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!