Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Organizer can steal funds for himself

arnie

Summary

While it is stated in the readme that issues related to owner rugging were not accepted, it is also possible for the organizer to rug funds, and no where was it stated in the readme that this is acceptable.

Vulnerability Details

from the readme this is stated as a known issue and acceptable risk

Owner is in charge of some of the key functions of the protocol. Owner's centralization risk is not an issue to be considered this time.

however the readme does not have centralization risk by the organizer as a know issue.

The organizer can simply steal funds by adding himself as the only winner and allocating himself 95% of the tokens.

function _distribute(address token, address[] memory winners, uint256[] memory percentages, bytes memory data)

He can essentially now steal all of the sponsors funds that should have gone to the winner.

Impact

Organizer can steal funds of the contest.

Tools Used

manual review

Recommendations

have the winner list be validated by either the owner or a sponsor/3rd party.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.