Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Organiser can set himself as winner

AkiraKodo

Summary

Organiser can distribute any funds contributed by external sponsors to himself as long as he sets his own EOA as one of the winners.

Vulnerability Details

Organiser simply calls deployProxyAndDistribute with his own EOAs as winners in the delegate call calldata and it will pass the params to the actual implementation function in Distributor.sol.

Impact

This is classified as medium in the event that the organiser is malicious. Depending on the amount of funds contributed by external sponsors, it could be very severe if the contests are rigged like that. Although it is stated that organiser is trusted, but judging directly based on the code base, this is still a medium vulnerability.

Tools Used

Foundry

Recommendations

Employ an anti-sybil measure (difficult and might not be feasible) to prevent this from occurring, or at least require that the organiser cannot be a winner as well as a first step.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.