Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Blacklist Risk for STADIUM_ADDRESS Causes Fund Locking

tsar

Summary

This one very similar to the issue where if one of the winners is blacklisted then all the legit ones wont receive their prizes, but instead of the winners it is the STADIUM_ADDRESS that might be blacklisted. When the loop is complete in the function _distribute it calls the internal function _comissionTransfer which sends the commission to the STADIUM_ADDRESS and if this address is blacklisted the funds are locked and it all reverts.

Vulnerability Details

This function is called inside _distribute()

function _commissionTransfer(IERC20 token) internal {

token.safeTransfer(STADIUM_ADDRESS, token.balanceOf(address(this)));

}

Impact

If the STADIUM_ADDRESS is blacklisted by the token being distribute even if all the winners are legitimate (Which is another issue if they are not) the function will still revert and the funds will be stuck.

Tools Used

Manual review

Recommendations

I believe the only way to not leaving all the prize locked forever is by adding a function to change the STADIUM_ADDRESS and making it not immutable.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.