Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium

data is not onChain and manipulation of prize distribution data is possible.

naman1729

Summary

if owner is malicious. then, owner can manipulate the data and modifies the prize distribution data. To establish a transparent and trustless system that aligns with the fundamental principle of blockchain technology, it is essential that the data be stored onChain.

Vulnerability Details

data is not stored onChain and it will result the manipulation of prize distribution data.

/**
* @notice deploy proxy contract and distribute prize on behalf of organizer by owner
* @notice This can only be called after contest is expired
* @dev the caller must be owner
* @param organizer The organizer of the contest
* @param contestId The contest id
* @param implementation The implementation address
* @param data The prize distribution data
* @return proxy The proxy address
*/
function deployProxyAndDistributeByOwner(
address organizer,
bytes32 contestId,
address implementation,
bytes calldata data
) public onlyOwner returns (address) {
bytes32 salt = _calculateSalt(organizer, contestId, implementation);
if (saltToCloseTime[salt] == 0) revert ProxyFactory__ContestIsNotRegistered();
if (saltToCloseTime[salt] + EXPIRATION_TIME > block.timestamp) revert ProxyFactory__ContestIsNotExpired();
// require(saltToCloseTime[salt] == 0, "Contest is not registered");
// require(saltToCloseTime[salt] < block.timestamp + EXPIRATION_TIME, "Contest is not expired");
address proxy = _deployProxy(organizer, contestId, implementation);
_distribute(proxy, data);
return proxy;
}

Impact

A wrong price distribution data can be pass in the argument.

Tools Used

Manual review

Recommendations

  • It is recommended to use on-chain data storage for contest related information, as this practice enhances the establishment of a transparent and trustless system.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.