Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Missing deadline check in `deployProxyAndDistributeBySignature()`

tsvetanovv

Summary

There is no deadline check in deployProxyAndDistributeBySignature(). The signature message should always include an expiration timestamp.

Vulnerability Details

In ProxyFactory.sol we have deployProxyAndDistributeBySignature() function:

function deployProxyAndDistributeBySignature(
address organizer,
bytes32 contestId,
address implementation,
bytes calldata signature,
bytes calldata data
) public returns (address) {
bytes32 digest = _hashTypedDataV4(keccak256(abi.encode(contestId, data)));
if (ECDSA.recover(digest, signature) != organizer) revert ProxyFactory__InvalidSignature();
bytes32 salt = _calculateSalt(organizer, contestId, implementation);
if (saltToCloseTime[salt] == 0) revert ProxyFactory__ContestIsNotRegistered();
if (saltToCloseTime[salt] > block.timestamp) revert ProxyFactory__ContestIsNotClosed();
address proxy = _deployProxy(organizer, contestId, implementation);
_distribute(proxy, data);
return proxy;
}

This function deploys proxy contract and distributes prize on behalf of the organizer.
The problem is that it is missing deadline check when sign a message.
Signatures signed by users should always have an expiration or timestamp deadline, such that after that time the signature is no longer valid.

Impact

If there is no signature expiration, a user by signing a message is effectively granting a "lifetime license".

Tools Used

Visual Studio Code

Recommendations

Add deadline check in deployProxyAndDistributeBySignature()

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.