Summary

The distributeByOwner function in the smart contract allows the owner to distribute funds for contests that are deemed to be expired. However, due to the lack of a strict relationship verification between the provided salt and the proxy address, the owner can potentially distribute funds for any contest, bypassing the expiration check.

Vulnerability Details

The vulnerability arises from the way the salt is calculated and verified in the distributeByOwner function. While the function checks if the salt is registered and if the contest associated with the salt has expired, it doesn't ensure that the salt is directly related to the provided proxy address. This oversight allows the owner to potentially use a valid salt from an expired contest with a proxy address of an active contest, thereby bypassing the expiration check.

Impact

The owner has the ability to distribute funds from any contest, regardless of its expiration status. This can lead to unauthorized distributions and potential loss of funds for contest participants.

Tools Used

Manual Review

Recommendations

Ensure that the salt used in the function corresponds directly to the provided proxy address.