Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Submission Details
Severity: low
Valid

Blacklisted STADIUM_ADDRESS address cause fund stuck in the contract forever

Summary

The vulnerability relates to the immutability of STADIUM_ADDRESS. If this address is blacklisted by the token used for rewards, the system becomes unable to make transfers, leading to funds being stuck in the contract indefinitely.

Vulnerability Details

  1. Owner calls setContest with the correct salt.

  2. The Organizer sends USDC as rewards to a pre-determined Proxy address.

  3. STADIUM_ADDRESS is blacklisted by the USDC operator.

  4. When the contest is closed, the Organizer calls deployProxyAndDistribute with the registered contestId and implementation to deploy a proxy and distribute rewards. However, the call to Distributor._commissionTransfer reverts at Line 164 due to the blacklisting.

  5. USDC held at the Proxy contract becomes stuck forever.

// Findings are labeled with '<= FOUND'
// File: src/Distributor.sol
116: function _distribute(address token, address[] memory winners, uint256[] memory percentages, bytes memory data)
117: ...
154: _commissionTransfer(erc20);// <= FOUND
155: ...
156: }
...
163: function _commissionTransfer(IERC20 token) internal {
164: token.safeTransfer(STADIUM_ADDRESS, token.balanceOf(address(this)));// <= FOUND: Blacklisted STADIUM_ADDRESS address cause fund stuck in the contract forever
165: }

Impact

This vulnerability is marked as High severity because a blacklisted STADIUM_ADDRESS would lead to funds being locked in the Proxy address permanently. Funds are already held in the Proxy, and the Proxy's _implementation cannot be changed once deployed. Even the ProxyFactory.distributeByOwner() function cannot rescue the funds due to the revert.

Tools Used

Manual Review

Recommendations

It is recommended to allow STADIUM_ADDRESS to be updatable by a dedicated admin role to avoid token transfer blacklisting. Moreover, since STADIUM_ADDRESS is no longer immutable, storage collision should be taken into account.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.