Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Ether might get stuck in Proxy contract storage

tutkata

Summary

The Proxy contract's address is known before its deployment, making it possible to get Ether stuck in the contract.

Vulnerability Details

As the Proxy contract address is known to users before it is deployed thanks to the getProxyAddress function in ProxyFactory, users could send any token to this address, including the native Ether token. Neither Proxy, nor Distributor has any logic implemented to handle Ether.

Although the protocol is not meant to handle any transfers of Ether, it is still possible that a naive user transfers it before deployment via the mechanism described above. Given that the Proxy is only deployed at the end of a contest, when rewards are to be distributed, this becomes even more likely as Ether can be sent to the address for a long period of time.

Impact

Any Ether mistakenly sent to the contract by users will be stuck forever.

Tools Used

Manual Review

Recommendations

Implement a withdraw() payable function in the Proxy (or Distributor) contract, so that any Ether mistakenly sent to the Proxy address before deployment can be returned to users.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.