Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: low

CloseTime can be set to one second

ke1caM

Summary

closeTime in setContest function can be set to one second. This might cause some unintended behaviour.

Vulnerability Details

In setContest function parameter closeTime can be set to block.timestamp + 1. I am aware that it is intended but it may lead to some unintended behaviour. One of that behaviour might be organizer being able to call deployProxyAndDistribute right away after contest starts. It does not have to be the lowest possbile value (one second). It can be 2 hours in which organizer can add atleast one winner to the array and this winner will secure whole payout without any competiton.

if (closeTime > block.timestamp + MAX_CONTEST_PERIOD || closeTime < block.timestamp) {
revert ProxyFactory__CloseTimeNotInRange();
}

POC

  1. Sponsor provides funds and transfers them to precalculated proxy address.

  2. The closeTime is set to very low value like 2 hours (block.timestamp + 2 hours).

  3. Only one participat can be chosen to winners array.

  4. Organizer calls deployProxyAndDistribute and only one supporter receives a prize without competition.

Impact

This skips protocol functionality as small amount of users will be able to participate and receive prizes based on their input in the contest.

Tools Used

VScode, Foundry

Recommendations

Create minimal contest time for users to enable to participate in protocol functionality. It will allow greater amount of supporters take part in contests.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!