Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

[L-01] `ProxyFactory.deployProxyAndDistributeBySignature()`: Lack of Signature deadline

0xnevi

Impact

In ProxyFactory.deployProxyAndDistributeRewardsBySignature(), organizers can deploy proxy and distribute rewards with signature sent. However, there is a lack of signature deadline, and as such, once allowed, can be used by organizer to deploy proxy and distribute rewards at any time in the future, indefinitely.

ProxyFactory.sol#L152-L167

function deployProxyAndDistributeBySignature(

address organizer,

bytes32 contestId,

address implementation,

// @audit signature used to deploy and distrbute rewards

// @audit necessary due to possibility of `ProxyFactory.sol` being deployed in multiple EVM chains

-> bytes calldata signature,

bytes calldata data

) public returns (address) {

bytes32 digest = _hashTypedDataV4(keccak256(abi.encode(contestId, data)));

if (ECDSA.recover(digest, signature) != organizer) revert ProxyFactory__InvalidSignature();

bytes32 salt = _calculateSalt(organizer, contestId, implementation);

if (saltToCloseTime[salt] == 0) revert ProxyFactory__ContestIsNotRegistered();

if (saltToCloseTime[salt] > block.timestamp) revert ProxyFactory__ContestIsNotClosed();

address proxy = _deployProxy(organizer, contestId, implementation);

_distribute(proxy, data);

return proxy;

}

Additionally, the function checks that contest is not closed, but does not check that contest has expired similar to in deployProxyAndDistributeByOwner().

In the event where an inactive organizer suddenly becomes active, and calls the deployProxyAndDistributeRewardsBySignature(), it could result in deployment collisions due to same salt when owner is trying to deploy proxy and distribute rewards as well. This could be problematic if owner and organizer has different winners in mind.

Tools Used

Manual Analysis

Recommendation

Add a expiry for signature approved to organizer
After expiry, make it consistent that only owner can deploy proxy and distribute rewards after expiration.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.