The vulnerability relates to the immutability of STADIUM_ADDRESS
. If this address is blacklisted by the token used for rewards, the system becomes unable to make transfers, leading to funds being stuck in the contract indefinitely.
Owner calls setContest
with the correct salt
.
The Organizer sends USDC as rewards to a pre-determined Proxy address.
STADIUM_ADDRESS
is blacklisted by the USDC operator.
When the contest is closed, the Organizer calls deployProxyAndDistribute
with the registered contestId
and implementation
to deploy a proxy and distribute rewards. However, the call to Distributor._commissionTransfer
reverts at Line 164 due to the blacklisting.
USDC held at the Proxy contract becomes stuck forever.
This vulnerability is marked as High severity because a blacklisted STADIUM_ADDRESS
would lead to funds being locked in the Proxy address permanently. Funds are already held in the Proxy, and the Proxy's _implementation
cannot be changed once deployed. Even the ProxyFactory.distributeByOwner()
function cannot rescue the funds due to the revert.
Manual Review
It is recommended to allow STADIUM_ADDRESS
to be updatable by a dedicated admin role to avoid token transfer blacklisting. Moreover, since STADIUM_ADDRESS
is no longer immutable
, storage
collision should be taken into account.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.