`ProxyFactory` owner can call `distributeByOwner` on any expired contest using any proxy
Summary
ProxyFactory owner can call distributeByOwner on any expired contest using any proxy rather than using the intended contest proxy.
Vulnerability Details
-
In
ProxyFactorycontract: the owner of the contract can calldistributeByOwnerfunction on any contest if it has expired and its rewards hasn't been distributed. -
The function first calculates the contest salt based on the organizer,contestId & implementation contract; then it checks if the contest has ended and passed the end time by the expiration time (
saltToCloseTime[salt] + EXPIRATION_TIME <= block.timestamp). -
If so; then the rewards are distributed (or rescued) using the proxy address provided by the owner as a function argument.
-
And since the proxy address used is provided not calculated by
getProxyAddress; this might result in using the wrong contest proxy.
Impact
So the owner might rescue rewards tokens from a wrong contest instead of the intended expired contest (if the owner uses a wrong contest proxy of an active contest).
Proof of Concept
Tools Used
Manual Testing.
Recommendations
In distributeByOwner function: use getProxyAddress function to get the correct contest proxy.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.