Compromised owner can set a malicious implementation address for phishing
Summary
A compromised owner or by owner's mistake owner can call setContest(.. , implementation) to set a malicious/wrong implementation address to steal or loss of sponsor/organizer tokens
Vulnerability Details
eg: 1.compromised owner creates a contest by setting a malicious distributor address as the implementation
2.Sponsor sends the token in to proxy, then lets say organizer uses the frontend and call distribute(we don't need to go this far but to make it interesting save tx gas😄)
3. proxy delegate calls to malicious implementation and send all the funds to the alice address
Tools Used
Foundry
Impact
Phishing sponsor/organizer tokens , Obviously the likelihood is low because owner is trusted ,but as because owner can set implementation address always from setContest(..) likelihood can be a medium also what if it goes wrong when passing address as params? , and the impact is high so high severity
Mitigation Steps
Consider deploying Distributor through Proxy factory and set distributor address to a immutable address variable
address immutable distributor_implementation;
and pass it as the
implementation for all the proxies eg: address proxy = address(new Proxy{salt: salt}(distributor_implementation)); So it guaranties
implementation is always Distributor.sol
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.