The sponsor can deposit more than 1 token in the proxy contract, which will lead to loss of funds after the _distribute()
Summary
The identified concern pertains to the proxy contract's ability to accept multiple tokens from sponsors. This situation subsequently results in a fund loss when the _distribute() function is executed.
Vulnerability Details
The documentation states that a "Sponsor" can fund a contest, with sponsors including both individuals and organizers. However, the current system allows a sponsor to deposit two different tokens, such as 10,000 USDC and 5,000 DAI, for a single contest. Notably, instances of this occurrence have been observed in contests like the Reality Cards contest on code4rena.
Impact
The identification of this vulnerability was the outcome of a comprehensive manual review.
Tools Used
Manual Review
Recommendations
To mitigate this issue, there are two potential courses of action:
-
Token Restriction: Restrict the proxy contract to accept only one token per contest. This will prevent sponsors from depositing multiple tokens and encountering the fund loss issue during the distribution process.
-
Enhanced Distribution: Modify the _distribute() function to account for all tokens held within the proxy contract. This would involve transferring all tokens, regardless of type, during the distribution process.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.