Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

Submission Details

Severity: high

Unexpected Behavior for contests

Unexpected behavior regarding setContest and deployProxyAndDistribute

There are 3 scenarios:

The sponsors can sent tokens to a expired contest since there is no reset/check. This will result in locking of funds or the next scenario.
It is possible to run deployProxyAndDistribute more than once. It will pass all checks and since there is funds in the contract, it will double spend and send tokens to winner addresses.
New contests with same salt will not be initialized even though the old contest has expired.

Possible double spending and locking of funds in contract

Manual review

The best solution I can think of is setting:

saltToCloseTime[salt]=0

after each of the deployProxyAndDistribute functions.

Vulnerability #1 is solved. Use a check for sponsors while sending tokens to the contract that the saltToCloseTime[salt]>0.
Vulnerability #2 is solved. deployProxyAndDistribute cannot be run more than once since there is check for !saltToCloseTime[salt]>0
Vulnerability #3 is solved. New contests with same salt can be set

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

The contest is live. Earn rewards by submitting a finding.

Submissions are being carefully reviewed by our judges.

This is your time to appeal against judgements on your submissions.

Appeals are being carefully reviewed by our judges.

The contest is complete and the rewards are being distributed.

Support

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.