Potential Unauthorized Distribution Due to Non-Unique Contest Identifiers
Summary
The deployProxyAndDistributeBySignature function in the contract allows for the deployment of a proxy contract and the distribution of prizes based on a signature from the organizer. However, nothing ensure the uniqueness of a contest based on the combination of contestId and organizer. This allows for potential unauthorized distributions using different implementation versions.
Vulnerability Details
The vulnerability arises from the lack of a strict uniqueness check for contests based on the combination of contestId and organizer, in addition to the implementation address not being included in the signature. While the function checks the validity of the signature and ensures that the contest is registered and closed, it does not prevent the creation of multiple contests with the same identifiers. As a result, a malicious actor can potentially distribute funds from a contest using a different implementation version that exists in an old contest, as long as the contest with the same identifiers exists.
Impact
Malicious actors can exploit this oversight to distribute funds from contests using old implementation versions.
Tools Used
Manual Review
Recommendations
Consider including the implementation in the signature provided by the organizer.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.