Locked Tokens Due to Single-Token Distribution Limitation
Summary
If sponsors send prizes in diffrent tokens for example one of sposors send JPYC and other one send USDC and so on. Only one from tokens can be send to winners as prize other will be locked in contract forever
Vulnerability Details
If in proxy have more then one token , other tokens will be locked forever. Because in Distributor.sol contract have only one function from which oranizator can send prizes distribute this function can be call only from ProxyFactory with function deployProxyAndDistribute if organizator use that function to send prizes for one of tekens in contract because in Distributor contract function distribute accept only one address (is not array) other tokens will be locked in contract forever. If organizator try to use function deployProxyAndDistribute in ProxyFactory.sol second time function will revert because Proxy.sol is already deployed with that salt.
Impact
Locked tokens in contract forever because deployProxyAndDistribute can be used only one time.
Tools Used
Manual review
Recommendations
To mitingate this issue you can use many path
Add token address to be send as array with multiple tokens addresses
orAdd function which can be called by organizator to send prizes of other tokens (without trying to deploy proxy again)
orAllow function 'distribute' in
Distributor.solto be called byProxynot only fromProxyFactory.sol
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.