Loss of funds
Summary
All the contest transfer COMMISSION_FEE to a fixed immutable STADIUM_ADDRESS and if STADIUM_ADDRESS is blocked by parent token [USDC or any other token that implement a blacklist like functionality] all the funds will be locked in contract as distribute will revert and no way to get funds back.
Vulnerability Details
Protocol heavily dependent on immutable STADIUM_ADDRESS and for any type of transfer of funds from contest make sure that COMMISSION_FEE is transferred to STADIUM_ADDRESS.
As from the given introduction ,Sparkn got a project, admin create a contest with a trusted organizer and Sponsors will transfer funds into proxyContract for distribution of reward
FLOW
Sparkn got a bunch of project to work within week{Assume 10}.
Admin creates contest for all of them with their best organizer and Sponsors started funding all the contest and participant actively working to get reward and complete the task/contest
STADIUM_ADDRESS is same in all the contract to get COMMISSION_FEE but now STADIUM_ADDRESS is blocked by parent token and no transfer can happen.
https://github.com/Cyfrin/2023-08-sparkn/blob/main/src/Distributor.sol#L164
https://github.com/Cyfrin/2023-07-escrow/issues/594
Impact
Complete Loss of funds
Tools Used
Manual
Recommendations
Consider using withdraw pattern or add updateStadiumAddress in Distributor.sol that can be only called buy admins
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.