Unauthorized distribution of stuck funds and arbitrary contract calls
Summary
The distributeByOwner function in ProxyFactory allows the owner to rescue stuck funds from any deployed proxy, regardless of whether the proxy's expiration time has passed if at least one contest has passed its expiration time due to lack of validation to ensure that the contest associated with the provided contestId, organizer, and implementation is related to the given proxy.
This vulnerability also presents the risk of executing arbitrary calls on unrelated contracts.
Vulnerability Details
distributeByOwner is defined as:
In the method there's a check that existing contest with contestId by organizer and specific implementation has passed expiration time, but there's no check whether it's related to the same proxy. This deficiency allows the owner to prematurely access funds. Additionally, there is no verification to ensure that the provided contest details correspond to the same proxy. Consequently, the owner can distribute funds from any proxy, regardless of its relevance.
This vulnerability not only poses immediate risks by enabling the premature distribution of contest funds but also introduces long-term risks, as there are no constraints on the data passed to the method. As a result, the owner could execute arbitrary calls on unrelated contracts, potentially leading to further security breaches.
Impact
Medium - The owner can distribute assets from non-expired contest proxies and execute arbitrary methods on other contracts using the proxy factory contract
Tools Used
Manual review
Recommendations
Omit proxy address paramter and get it using getProxyAddress view method instead
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.