Sending funds to unexisted contract may lead to lose all fund
Summary
Because organizer/sponsor send funds to undeployed contract, there's some chance that the funds will forever lost due to reverted when deploy proxy and distribute funds
Vulnerability Details
The funds can be lost by those steps:
Step 1: Owner call
ProxyFactory.setContest()Step 2: Organizer/Sponsor send funds to unexisted contract
Step 3: Owner and Organizer deploy proxy and distribute fund (using
deployProxyAndDistribute(),deployProxyAndDistributeBySignature(),deployProxyAndDistributeByOwner()), but the functions somehow got reverted, make the funds stuck forever
This can be happened with those cases:
Organizer/Sponsor mistakenly put funds with unwhitelisted token, causing reverted in
Distributor.distribute()
Owner mistakenly use wrong input
implementationwhen callProxyFactory.setContest()When the protocol decided to use new
Distributor.sollogic contracts, there's can be chances that there's bug that cause reverted inDistributor.distribute()...
Those cases is quite rare, but I think the risks of sending funds to an undeployed contract is significant
Impact
The funds can be stuck forever
Tools Used
Manual Review
Recommendations
The protocol should have vault contracts to store the funds first, and then distribute it later.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.