Implementation address manipulation: Front-running vulnerability in `deployProxyAndDistributeBySignature`
Summary
The deployProxyAndDistributeBySignature function in the provided contract is vulnerable to a front-running attack. Since the implementation address is not included in the digest signature, a malicious actor can frontrun the transaction and change the implementation address.
Vulnerability Details
In the function deployProxyAndDistributeBySignature, the digest for the signature verification is created using the contestId and data. The implementation address, which is crucial for the deployment of the proxy, is not included in this digest.
This omission means that while the contestId and data are protected by the signature, the implementation address is not. A malicious actor can observe a transaction in the transaction pool (mempool) and front-run it by sending a transaction with a higher gas price and an evil implementation address. This would allow the attacker to deploy a malicious proxy contract.
Impact
A successful exploitation of this vulnerability would allow an attacker to deploy a malicious proxy contract on behalf of the organizer. This could lead to a wide range of attacks, including but not limited to:
Stealing funds or assets managed by the proxy.
Manipulating the behavior of the proxy in malicious ways.
Damaging the reputation of the organizer.
Tools Used
Manual Code Review
Recommendations
Include the implementation address in the digest: Modify the digest creation to include the implementation address. This will ensure that the signature also covers the implementation address, preventing any unauthorized changes.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.