Sparkn

Summary

Wrong implementation address can be mistakenly passed to setContest causing funds to be stuck forever

Vulnerability Details

In setConstest the owner is supposed to pass correct and actual verison of implementation, however only check for address zero is made. Owner can mistakenly pass an incorrect implementation address which might freeze the funds forever. If in passed address there aren't implemented functions to recover these funds they will be lost. Being aware that owner is a trusted role it should not be possible, however this mistake can happen (off-chain scripts not being updated, human error). Likelyhood is very low but impact is high.

POC

1. Sponsor provides funds for next contest.

2. Owner precomputes proxy address with wrong implementation address which is not able to recover funds.

3. Unaware sponsor transfers his funds to this address.

4. Owner calls setContest with incorrect implementation address.

5. Funds are stuck in proxy address without a way to send them back or distribute them to the potential users (supporters).

Impact

Sponsor's funds intended for users are lost forever.

Tools Used

VScode, Foundry

Recommendations

The best way to solve this issue is createing a state variable holding current implementation address. Create seperate function to update current implementation version (with address) and set onlyOwner modifier. setContest function is also restricted only to owner so centralization risk does not increase.