Submission Details
Severity:
Pre-computed address collusion with deployed contract
Summary
Pre-computed address collusion with deployed contract
Vulnerability Details
With low probability there might be address collusion with deployed contract caused by create2 op-code.Protocol logic requires the funds to be send before contract deployment which may lead loss of funds cause there's already contract deployed on address
Impact
Loss of funds caused by address collusion
Tools Used
Manuel-review
Recommendations
Sending funds tandem with deploy contest while checking proxy address is eligible for deploying
function _deployProxy(address organizer, bytes32 contestId, address implementation) internal returns (address) {
bytes32 salt = _calculateSalt(organizer, contestId, implementation);
address calculatedAddress=getProxyAddress(salt,implementation);
uint codesz;
assembly {
codesz := extcodesize(calculatedAddress)
}
if(codesz !=0) revert ProxyFactory__ContractAlreadyDeployed();
//Above method helps in both gas and can remove the threat of sending tokens to already deployed contract
//This part where you can send the erc20 tokens to proxy addresses..
//Desired erc20 transfer method with Safe-Transfer library added symbolic below
usdc.safeTransferFrom(msg.sender,calculatedAddress,amount);
address proxy = address(new Proxy{salt: salt}(implementation));
return proxy;
}
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
19477 USDC / LOC
14,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.