Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Missing ERC20 interface checks on `_whitelistedTokens`

johnnytime

Summary

The ProxyFactory.sol deployer (admin) provides an array of "whitelisted tokens" addresses to the constructor. However, the current implementation lacks a verification step to ensure that these addresses are smart contracts implementing the ERC20 standard.

Vulnerability Details

As of now, any address apart from address(0) can be included in the _whitelistedTokens parameter of the ProxyFactory.sol:constructor function, enabling it to be added to the list of whitelisted tokens.

This is problematic since there's no mechanism in place to verify whether the address corresponds to a token adhering to the ERC20 standard.

Impact

An address which is not a token can be added to the _whitelistedTokens mapping and an organizer might use it mistakenly or intentionally to distribute rewards.

Tools Used

Manual Review

Recommendations

In the ProxyFactory.sol constructor use EIP165 to ensure that every address that was passed in the list implements the ERC20 standard.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.