Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Insufficient input validation in `distributeByOwner` function

mo_

Summary

distributeByOwner function doesnot check if given proxy matches given organizer and contestID . if any mistake happens by the owner here then rewards will be sent to wrong addresses .

Vulnerability Details

The distributeByOwner function looks like this :

function distributeByOwner(
address proxy,
address organizer,
bytes32 contestId,
address implementation,
bytes calldata data
) public onlyOwner {
if (proxy == address(0)) revert ProxyFactory__ProxyAddressCannotBeZero();
bytes32 salt = _calculateSalt(organizer, contestId, implementation); //<-----No check here if given proxy mismatches for given organizer and contestID
if (saltToCloseTime[salt] == 0) revert ProxyFactory__ContestIsNotRegistered();
// distribute only when it exists and expired
if (saltToCloseTime[salt] + EXPIRATION_TIME > block.timestamp) revert ProxyFactory__ContestIsNotExpired();
_distribute(proxy, data);
}

This arises a issue .

Consider this scenario :

  1. Two proxy's are there: ProxyA(ok) , ProxyB (expired)

  2. Owner calls distributeByOwner function but mistekenly inputs ProxyA as proxy and contestID & organizer of ProxyB . Also data for ProxyB .

  3. As the function doesnot validates it so the txn succesfully gets executed and rewards are sent to wrong addresses !!

Likelihood -low
Impact -high

Impact

Rewards may be sent to wrong addresses .

Tools Used

VS code

Recommendations

Consider validating the input by calling getProxyAddress function providing the calculated salt .
Revert if it mismatches .

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.