Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

100% of tokens in proxy contract can be stolen.

0xsandy

Summary

An attacker can steal 100% of tokens from the proxy contact.

Vulnerability Details

Each proxy contract is deployed with a unique salt obtained using keccak256 hash of abi encoded value of organizer, contestId and implementation.

https://github.com/Cyfrin/2023-08-sparkn/blob/0f139b2dc53905700dd29a01451b330f829653e9/src/ProxyFactory.sol#L260-L266

The deployment happens with the help of create2 opcode which lets anyone predict the address in which contract will be deployed with the help of unique salt.

As there is no functionality for sponser to send tokens after the proxy is deployed, the sponser sends tokens to the proxy contract address beforehand which is not yet deployed and the address is calculated using getProxyAddress() function.

https://github.com/Cyfrin/2023-08-sparkn/blob/0f139b2dc53905700dd29a01451b330f829653e9/src/ProxyFactory.sol#L225-L229

Now, as soon as the setContest() is called by the owner, an attacker can take organizer, contestId and implementation values, obtain salt and deploy his own proxy contract at the same salt with different implementation address set at construction. Now, when sponser sends the token to the computed proxy address, they are actually sent to the proxy deployed by the attacker beforehand. Now, attacker can easily withdraw 100% of tokens from the proxy contract with the help of implementation contractthat he set while deploying the proxy contract.

Also, Organizer won't be able to do anything as deployProxyAndDistribute() and deployProxyAndDistributeBySignature() both try to deploy proxy to the same salt that attacker already deployed which wouldn't be successful and Owner has to wait for additional one week to call distributeByOwner() during which attacker will sweep all the tokens.

Impact

All the tokens sent to the proxy contract will be stolen by the attacker.

Tools Used

Manual Analysis

Recommendations

Deploy proxy contract together when the contest is set in the setContest() function and verify contest is set succesfully before enabling sponser to send tokens as the setContest() can be front-run and proxy contract can still be deployed ahead by the attacker.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.