Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

A signature can be reused for a contest with a different implementation address

Agkistrodon

Summary

A signature by an organizer can be reused by an attacker in deployProxyAndDistributeBySignature for a contest which has the same contestId but a different implementation address.

Vulnerability Details

In the function deployProxyAndDistributeBySignature, the digest of the signature includes the contestId, data and the domain separator provided by EIP712, however, it notably does not include the implementation address.

There can be different valid contests created using the setContest function which have the same organizer and contestId but a different implementation address (these two contests are referred to as contests A and B below). This situation could arise where the Owner deploys a new implementation contract and reuses a contestId for a specific organizer. There are no checks in setContest which would prevent contest B from being created (as it is possible for two contests to have the same contestId) and contests A and B would have different salts (as the implementation is included in the salt calculation).

If an organiser creates a signature for the function deployProxyAndDistributeBySignature for contest A, an attacker could reuse that same signature to call deployProxyAndDistributeBySignature for contest B (as all of the details in the signature would be the same given that the implementation address is not checked as part of the digest in the signature), which would allow the attacker to deploy the proxy for contest B and distribute the funds using the call data that the organiser used for contest A.

Impact

The vulnerability could allow an attacker to distribute funds for contest B using the same distribution logic that was used by an organiser for contest A, which would result in funds that were meant for the winners of contest B being distributed to the winners of contest A. This could either be done as a form of griefing or one of the winners of contest A could carry out such an attack for personal gain.

Tools Used

Manual analysis

Recommendations

Include the implementation address in the digest in deployProxyAndDistributeBySignature.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!