Improper validation Of `_deployProxy` return value
Summary
The ProxyFactory contract uses the _deployProxy function to deploy a proxy using create2 instruction. However, the ProxyFactory does not validate the address returned by create2, which will be the zero address if the deployment operation fails. This lack of validation does not currently pose a problem, because the simplicity of Proxy contract helps prevent deployment failures (and thus the return of the zero address). However, deployment issues could become more likely in future upgrades.
Vulnerability Details
The main vulnerability lies in the _deployProxy function which is used to deploy the Proxy contract for each contest which then delegate calls to the Distributor contract to distribute funds to the winners. But during the process of deployment, the function lacks an additional check that whether the contract was deployed successfully or not because on failure the create2 will not revert but instead return the zero address.
Impact
If the deployment is manipulated or failed, the address zero is used by the Organizer to send funds then the funds will get lost forever because in the current operating scenario the Organizer is required to send funds to the Proxy contract before deploying and distributing. Thus, funds will get lost in the process.
Tools Used
Manual Review
Hardhat
Recommendations
The _deployProxy function, with the recommended changes, is detailed below:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.