Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Wrong implementation address will brick the protocol and eventually funds will remain stuck in the proxy contract forever

mo_

Summary

As sufficient validation is not there, Wrong implementation address input will brick the proxy and eventually funds will remain stuck in the proxy contract forever.

Vulnerability Details

in case of a wrong implementation address is provided through setContest then proxy cannot be deployed and funds cannot be distributed , thus sent funds will get stuck in the non-deployed proxy contract forever .

Distributor.sol is acting as the implementation contract of the protocol currently . It's not changing before an protocol update .So, inputting it manually everytime makes it vulnerable to human error .

setContest function :

function setContest(address organizer, bytes32 contestId, uint256 closeTime, address implementation)
public
onlyOwner
{
if (organizer == address(0) || implementation == address(0)) revert ProxyFactory__NoZeroAddress();
if (closeTime > block.timestamp + MAX_CONTEST_PERIOD || closeTime < block.timestamp) {
revert ProxyFactory__CloseTimeNotInRange();
}
bytes32 salt = _calculateSalt(organizer, contestId, implementation);
if (saltToCloseTime[salt] != 0) revert ProxyFactory__ContestIsAlreadyRegistered();
saltToCloseTime[salt] = closeTime;
emit SetContest(organizer, contestId, closeTime, implementation);
}

Impact

Funds getting stuck and supporters will get no reward !

Tools Used

Manual review

Recommendations

Consider storing the implementation address in a variable and input the variable everytime while setting a new contest . This is also better for upgradability

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.