Sparkn

Summary

According to the protocol description, the contracts are expected to act as an escrow of the sponsor's funds. Since the sponsor is only required to send funds after the contest is set, he may never send funds and cheat the contestants.

Vulnerability Details

The protocol flow is => setContest => sponsor send funds to precomputed proxy address => after closing time, distribution can be called. But there is a possibility that the sponsor doesn't send funds to the required contract. When the contest time is over and the supporters expect the distribution of funds, the distribute function of Distributor.sol will be called. We can see at L#142 that the whole txn reverts if tokenAmount = 0 at the proxy address. This is entirely possible because SparkN has left the whole responsibility to the sponsor/organizer and there is no way to verify that the funds have actually been escrowed.

Impact

If the sponsor doesn't send funds before the close Time, the supporters have already done their work and will get no payments. This way the organizer can cheat them. There is no escrow.

Tools Used

Manual review

Recommendations

The protocol needs to take the funds in advance and send them to the computed Proxy address within the setContest logic so that there is no possibility to cheat the contestants.