Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

There is no functionality to remove or add a whitelisted token

sonny2k

Summary

The only way to add whitelisted token in ProxyFactory.sol now is to provide them in the constructor()

constructor(address[] memory _whitelistedTokens) EIP712("ProxyFactory", "1") Ownable() {
if (_whitelistedTokens.length == 0) revert ProxyFactory__NoEmptyArray();
for (uint256 i; i < _whitelistedTokens.length;) {
if (_whitelistedTokens[i] == address(0)) revert ProxyFactory__NoZeroAddress();
whitelistedTokens[_whitelistedTokens[i]] = true;
unchecked {
i++;
}
}
}

Vulnerability Details

ProxyFactory.sol allows whitelisted tokens to be used as reward for a specific contest, but there is no functionality that allows removing or adding tokens from / to the whitelist. This can be problematic if some incompatibility and/or exploit (depegged) is discovered in a whitelisted token as well as some new popular stable coins in the future.

Impact

If the protocol wants to make change in the whitelisted tokens, they will have to re-deploy both the ProxyFactory as well as Distributor contract since Distributor contract relies on ProxyFactory. It's costly to do this every time we want to add or remove a whitelisted token.

function distribute(address token, address[] memory winners, uint256[] memory percentages, bytes memory data)
external
{
if (msg.sender != FACTORY_ADDRESS) {
revert Distributor__OnlyFactoryAddressIsAllowed();
}
_distribute(token, winners, percentages, data);
}

Tools Used

Manual Analysis

Recommendations

Add 2 functions callable only by the owner that allows to remove or add tokens from / to the whitelist.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.