Sparkn

Summary

The organizer is the one that is in control of the parameters of the distribute() function. So, he can distribute all rewards to himself, as there are no verification.

Vulnerability Details

• Owner set contest for organizer

• Organizer or Sponsor funds the proxy contract with 1_000 USDC

• Supporters work

• Organizer calls deployProxyAndDistribute and encode data with following parameters

  • distribute() selector

  • token = USDC: USDC address

  • winners = ["organizer address"]: only one winner is set and it is the organizer address

  • percentages = [9500]: Fees must be paid

  • data: none

• Organizer will get back 95% of the funds, so here 950 USDC.

Impact

Organizer can steal the funds provided by the sponsor, that should be given to the winners.

Supporters have worked without being rewarded at the end, and organizer keeps 95% of funds.

Tools Used

VSCode

Recommend Mitigation

A way to avoid it would be to sign (off-chain) the distribute() parameters. The owner of the factory could sign parameters, and so the Distributor contract would verify that those parameters were signed by factory's owner.

As the organizer can't be 100% trusted, this mitigation would allow a multi-party authorization to distribute funds (organizer + owner). Maybe adding a verifier role that would sign those data instead of the owner would be a better solution.