Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Loss of funds due to not checking the return value of proxy creation

0xepley

Summary

Inadequate Error Handling in Contract Deployment which would cause loss of funds

Vulnerability Details

In the deployProxyAndDistribute function, the _deployProxy function is called to create a proxy contract. However, the _deployProxy function does not include a check for the case where contract deployment fails and returns address 0 (the null address). If such a deployment failure occurs, the _distribute function is subsequently called with address 0, which can result in unexpected behavior.

Impact

The impact of this issue is that if the _deployProxy function fails to create a proxy contract and returns address 0, the _distribute function will send the funds to address 0. This can lead to a situation where users expect prizes to be distributed but they are lost forever, potentially causing financial losses.

you can see here

function _distribute(address proxy, bytes calldata data) internal {
(bool success, ) = proxy.call(data);
if (!success) revert ProxyFactory__DelegateCallFailed();
emit Distributed(proxy, data);
}

that this code is sending eth to the proxy address and the proxy address is actually coming from
this line of deployProxyAndDistribute() function.

address proxy = _deployProxy(msg.sender, contestId, implementation);

which is then sending proxy address to the following Line

_distribute(proxy, data);

Tools Used

Manual Review

Recommendations

Make sure to check the return value when creating the proxy address

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!