Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

organizer address can be manipulated by the owner.

naman1729

Summary

if owner is malicious, owner can manipulates the contest organizer to avoid this, we can establish an immutable variable dedicated to the organizer and store the organizer's address within it. Subsequently, we would retrieve the organizer's address from this variable, rather than sourcing it from the arguments, in order to prevent any potential manipulation.

Vulnerability Details

if owner is malicious, owner passing the organizer's address as an argument leads to a vulnerability of the organizer's address can be manipulated.

/**

* @notice Only owner can set contest's properties

* @notice close time must be less than 28 days from now

* @dev Set contest close time, implementation address, organizer, contest id

* @dev only owner can call this function

* @param organizer The owner of the contest

* @param contestId The contest id

* @param closeTime The contest close time

* @param implementation The implementation address

function setContest(address organizer, bytes32 contestId, uint256 closeTime, address implementation)

public

onlyOwner

{

if (organizer == address(0) || implementation == address(0)) revert ProxyFactory__NoZeroAddress();

if (closeTime > block.timestamp + MAX_CONTEST_PERIOD || closeTime < block.timestamp) {

revert ProxyFactory__CloseTimeNotInRange();

}

bytes32 salt = _calculateSalt(organizer, contestId, implementation);

if (saltToCloseTime[salt] != 0) revert ProxyFactory__ContestIsAlreadyRegistered();

saltToCloseTime[salt] = closeTime;

emit SetContest(organizer, contestId, closeTime, implementation);

}

Impact

The organizer's address is vulnerable to manipulation if it is placed within the arguments.

Tools Used

Manual review

Recommendations

we can establish an immutable variable dedicated to the organizer and store the organizer's address within it.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.