Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

`distribute` allows distribution of only one kind of token

NoamYakov

Summary

Contest organizers (or whoever distributes the prizes) can only distribute the prizes that were collected in one kind of token, while contests should be able to collect multiple kinds of tokens (as long as they're all whitelisted).

Vulnerability Details

In order to distribute the prizes, contest organizers must call deployProxyAndDistribute (or let someone else call deployProxyAndDistributeBySignature with the organizer's signature). There's no other way to distribute the prizes. These function can't be called twice because they also deploy the proxy, and one can't deploy two proxies with the same salt. Since the distribute function distributes only the prizes collected in one kind of token, the rest of the token prizes can't be distributed.

Impact

Prizes only in one kind of token can be distributed to winners, per contest. Only ProxyFactory's owner will be able to distribute all the other token prizes by calling distributeByOwner when the contest expire.

Recommendations

Modify the distribute function to receive a list of tokens to be distributed instead of just one.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!