Possible Lockup tokens in contract forever
Summary
ERC20 Tokens like USDT and USDC can be locked forever in proxy contract if someone from winners is blacklisted.
Vulnerability Details
The vulnerabilities are identified in the Distributor.sol in function _distribute. If someone frim winners is blacklisted by ERC20 tokens like USDT and USDC the _distribute function will always revert and tokens will be lock in contract forever since there no have rescue function. Addictional in ProxyFactory.sol have function deployProxyAndDistributeByOwner which suppouse to be used to rescue stucked tokens in some of proxies but because this function will call again _distribute function in Distributor.sol result will be the same and tokens will be locked there forever.
Impact
These vulnerabilities have the potential to lead to substantial financial losses and disrupt the intended functionality of the Sparkn Protocol. Tokens can be inadvertently locked, making them unrecoverable, and attempts to rescue them through the owner's actions will also fail.
Tools Used
Manual Review
Recommendations
Adding rescue function in Distributor.sol to can owner withdraw tokens stuck in proxy contracts like
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.