Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Submission Details
Severity: high
Valid

ProxyFactory: no input validation on proxy param

Summary

In distributeByOwner, there is no input validation on proxy param.

Vulnerability Details

function distributeByOwner(
address proxy,
address organizer,
bytes32 contestId,
address implementation,
bytes calldata data
) public onlyOwner {
if (proxy == address(0)) revert ProxyFactory__ProxyAddressCannotBeZero();
bytes32 salt = _calculateSalt(organizer, contestId, implementation);

This allows for owner to pass in any proxy address and execute arbitrary call on it. Even bypass expiration checks and call distribute on not expired contests. But there is no way to deploy it before expiry, so not that big of a problem.

Impact

Mistakenly/intentionally distribute on incorrect proxy.

Tools Used

Recommendations

Verify that the proxy address passed is correct. Or do not take the proxy as input at all. Compute the address from organizer and contestId with _calculateSalt and getProxyAddress.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.