Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Malicious organizer can send funds to own address and scam supporters

mo_

Summary

Arbitary data in deployProxyAndDistribute & deployProxyAndDistributeBySignature function is used to distribute the rewards among the supporters . However, the input data is not validated enough on-chain which makes it vulnerable to be misused by malicious organizers .

An example could be :
A malicious organizer can pass his own address in the data field and scam all the supporters who worked on the project by taking all the money himself .

Vulnerability Details

function deployProxyAndDistribute(bytes32 contestId, address implementation, bytes calldata data)
public
returns (address)
{
bytes32 salt = _calculateSalt(msg.sender, contestId, implementation);
if (saltToCloseTime[salt] == 0) revert ProxyFactory__ContestIsNotRegistered();
// can set close time to current time and end it immediately if organizer wish
if (saltToCloseTime[salt] > block.timestamp) revert ProxyFactory__ContestIsNotClosed();
address proxy = _deployProxy(msg.sender, contestId, implementation);
_distribute(proxy, data);
return proxy;
}

Impact

Fund getting theft by malicious organizer .

Tools Used

Manual review

Recommendations

SPARKN is built with the philosophy of "Supporters first" . Ensuring the supporters safety is one of the main priority here .No validation process for arbitrary data from an untrusted user (Organizer) can lead to catastrophic incidents . Most importantly we are keeping the supporters at stake here !

So, validate the data properly off-chain and also Introduce some validation process on-chain .

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.