No logic to add whitelisted tokens or remove tokens from whitelist is too restrictive
Summary
Currently there is no way to add or remove whitelisted tokens - they are added once in the constructor. There are numerous edge cases in which this will lead to issues. For example, (1) there will often be cases in which new tokens will need to be whitelisted. For example, sponsors for specific projects might want to pay out the winners with their native token (e.g. governance token). There is no way to know all these tokens at the time of deployment. Additionally, (2) the canonical addresses of some large tokens change over time. For example on Arbitrum, the bridged token USDC.e was used for a long time, and only recently was native USDC deployed on the chain. This would mean that the now defacto USDC token address would not be included in the factory whitelist. Also, (3) some sponsors might mess up and send the wrong tokens to the Proxy address. Currently there's no way to rescue these tokens without logic for updating the whitelist to include these tokens.
In all these cases, re-deploying the ProxyFactory would be required to update the whitelist, which not only is not free, but will also lead to operational difficulties trying to manage different contests which are running with different ProxyFactory contract versions (e.g. if the contests from the earlier ProxyFactory haven't finished yet).
Vulnerability Details
As mentioned, there is only a subset of tokens which are whitelisted, and this is only done in the constructor:
There is no logic elsewhere which allows updating the mapping for the whitelisted tokens.
Impact
Multiple edge cases can lead to loss of functionality or loss of funds.
Tools Used
Manual review
Recommendations
Have an owner-only function which is able to update the whitelist.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.