Addressing Critical Vulnerability in deployProxyAndDistribute() Function through Caller Validation
Summary
Vulnerability Details
In the function deployProxyAndDistribute(), a critical vulnerability has been identified. Currently, there is no validation in place to prevent the same account from repeatedly invoking this function. This vulnerability allows an attacker to exploit the system by making multiple calls to deployProxyAndDistribute() and distributing prizes to addresses of their choice with each call.
Impact
The absence of a check to ensure the uniqueness of the calling account enables malicious actors to repeatedly execute the function, manipulating the distribution of prizes at their discretion.
function deployProxyAndDistribute(bytes32 contestId, address implementation, bytes calldata data)
public
returns (address)
{
bytes32 salt = _calculateSalt(msg.sender, contestId, implementation);
if (saltToCloseTime[salt] == 0) revert ProxyFactory__ContestIsNotRegistered();
// can set close time to current time and end it immediately if organizer wish
if (saltToCloseTime[salt] > block.timestamp) revert ProxyFactory__ContestIsNotClosed();
address proxy = _deployProxy(msg.sender, contestId, implementation);
_distribute(proxy, data);
return proxy;
}
Tools Used
Manual check
Recommendations
To mitigate this vulnerability, it is recommended to implement a safeguard that verifies the identity of the caller. Specifically, the addition of a requirement to ensure that the caller's address is not the null address (0x0) will effectively prevent the same user from invoking the function multiple times.
Here is the updated function with the recommended check:
function deployProxyAndDistribute(bytes32 contestId, address implementation, bytes calldata data) public returns (address){
require(msg.sender != address(0), "Caller address must be valid");
bytes32 salt = _calculateSalt(msg.sender, contestId, implementation);
if (saltToCloseTime[salt] == 0) revert ProxyFactory__ContestIsNotRegistered();
// Can set close time to the current time and end it immediately if the organizer wishes
if (saltToCloseTime[salt] > block.timestamp) revert ProxyFactory__ContestIsNotClosed();
address proxy = _deployProxy(msg.sender, contestId, implementation);
_distribute(proxy, data);
return proxy;
}
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.