Sparkn

Summary

The _distribute function attempts to make a delegate call to a proxy address. However, there is no check to ensure that the proxy address actually points to a deployed contract. This can lead to a silent fail if the proxy address is not a contract or hasn't been deployed.

Vulnerability Details

The _distribute function internally uses the low-level call function to delegate a call to the proxy address with provided data. According to the Solidity documentation, the low-level call, delegatecall, and staticcall functions will return true as their first return value if the account called is non-existent. This is a design feature of the EVM.

In the current implementation, if the proxy address doesn't point to a deployed contract, the function will not revert and will emit a Distributed event, potentially misleading users or other contracts into believing that the distribution was successful.

Impact

Misleading Events: The Distributed event can be emitted even if the distribution was not successful, leading to false positives.
Loss of Funds: If the function is used to distribute funds or rewards, the silent fail can result in loss of funds or rewards not being distributed.

Tools Used

Manual Review

Recommendations

• Before making the delegate call, check if the proxy address is a contract. This can be done using the extcodesize EVM opcode. Example: require(proxy.code.length > 0, "proxy implementation not deployed");

• Instead of a generic ProxyFactory__DelegateCallFailed revert message, consider using more descriptive error messages that indicate the exact reason for failure.