Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Make use of multisig mandatory as a Owner

Summary

Proxy Factory is deployed once, the msg.sender is the owner of the factory contract and has a lot of power. It should be secure we believe. The current behavior is, any 1 individual can use EOA as an owner, which is a huge risk and we've already seen so many hacks happen in the past due to this.

Vulnerability Details

owner(individual) = admin

What if the admin is not available on some days? What if the admin is sick?
They can also be subject to phishing etc.
We suggest using a multi-sig as an owner

Impact

Risk of custody of funds in 1 hand. Everyone will lose funds if the admin gets hacked or turns rogue.

Tools Used

Recommendations

Require a check in the factory's constructor such that

uint size;

assembly {

size := extcodesize(msg.sender)

}

if (size == 0) revert();

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.