Sparkn

Summary

The organizer may announce a certain token(assume DAI) and a certain amount when sharing info with SparkN for setting the contest, but this info is not verified later when distributing funds.

Vulnerability Details

At Distributor.sol L#121 the logic checks if the token address supplied in distribution data is whitelisted, but does not check if this is the same token address and the same amount of it that was promised when declaring the contest on the marketplace. Even if the protocol considers only stablecoins as whitelisted, consider a depeg event(recently witnessed by USDC) and the organizer/sponsor may send USDC to dump a less-valuable token in place of DAI that was previously declared. The token address and its amounts needs to be tied to the contest info and verified at distribution time.

Impact

There is a potential loss of funds by receiving a different, less-valuable token(if depegged) or the organizer/sponsor sends lesser amount of the token than was first declared.

Tools Used

Manual review

Recommendations

Verify that the token address sent in the distribution calldata is the same that was declared when setting the contest, and set some contest info like token address, token amount in the setContest logic.