Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

A blacklisted STADIUM_ADDRESS could result in stuck funds in proxies

dipp

Summary

Possible stuck funds if STADIUM_ADDRESS is blacklisted by the token to be distributed.

Vulnerability Details

Tokens such as USDC and USDT use blocklists to prevent certain addresses from interacting with the token contract. If the STADIUM_ADDRESS to which fees are sent is blacklisted then the distribute function would not work.

Impact

Users would send their tokens to the address of the yet to be deployed proxy then try to deploy the proxy and distribute the funds but would fail when transferring commission to the STADIUM_ADDRESS due to it being blacklisted. The funds sent to the proxy would be unrecoverable for as long as the STADIUM_ADDRESS remains blacklisted.

Tools Used

Manual

Recommendations

Consider adding functionality to change the STADIUM_ADDRESS or functionality to track unclaimed fees that could be claimed in the future.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.