In distributeByOwner
, there is no input validation on proxy param.
This allows for owner to pass in any proxy address and execute arbitrary call on it. Even bypass expiration checks and call distribute on not expired contests. But there is no way to deploy it before expiry, so not that big of a problem.
Mistakenly/intentionally distribute on incorrect proxy.
Verify that the proxy address passed is correct. Or do not take the proxy as input at all. Compute the address from organizer and contestId with _calculateSalt
and getProxyAddress
.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.