Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

The reward may be disbursed even after the designated time period has elapsed.

WhiteRose

Summary

organizer can invoke the function past the EXPIRATION_TIME.

Vulnerability Details

Upon the completion of the MAX_CONTEST_PERIOD, the organizer is permitted to trigger the deployProxyAndDistribute or deployProxyAndDistributeBySignature functions. However, the deployProxyAndDistributeByOwner function can only be called by owner once the EXPIRATION_TIME period has elapsed.

To date, these functions have been operating as expected. However, an issue arises where the organizer can still trigger the function even after the EXPIRATION_TIME has ended.

According to the Sequence Diagram of the Protocol provided in the README and all other documentation, this should not occur. It is specified that only the organizer has the authority to call the dispatch function only in the period between MAX_CONTEST_PERIOD expiration and less than EXPIRATION_TIME.

Impact

The protocol still working for the organizer even the contest pass the EXPIRATION_TIME. The funds can be send.

Tools Used

Manual code review.

Recommendations

Set a condition like that:

if (saltToCloseTime[salt] > block.timestamp) revert ProxyFactory__ContestIsNotClosed();

+ if (saltToCloseTime[salt] < EXPIRATION_TIME) revert ProxyFactory__ContestIsClosed();

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.