Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Proxy addresses of unauthorized contests are returned via getProxyAddress

igorline

Summary

The getProxyAddress function exposes the addresses of potential contests, even those that have not been approved by the owner. This can lead to sponsors sending assets to proxy addresses that may never be deployed through the ProxyFactory contract.

Vulnerability Details

The getProxyAddress function currently lacks a check to verify whether a contest has been added by the owner. As a result, it returns addresses for hypothetical contests, which may never be deployed using the ProxyFactory contract. This situation can mislead sponsors into sending assets to proxy addresses that are not intended for actual use.

Impact

Medium - The getProxyAddress view method provides addresses for contests that have not been approved by the owner, potentially causing misallocation and loss of assets.

Tools Used

Manual review

Recommendations

Consider checking whether contest was set in the ProxyFactory contract before evaluating and returning the address

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!