Summary

The proxyFactory contract does not ensure a minimal time enforcement for the contest setup duration. An organizer, might prematurely end a contest.

Vulnerability Details

The closeTime parameter in the proxyFactory contract is critical in determining when a contest closes. A typical contest might last for a few days or even weeks to allow ample time for participants and sponsors. However, the current implementation allows the owner to define a closeTime that's either immediately or in the near future. This flexibility can be a source of problems. If a contest closes prematurely, the participants might not get a fair chance to submit their entries or participate fully. The owner might have to set up another contest and explain to the sponsors/participants that the contract have changed, which might lead to a loss of trust an credibility.

Proof of Concept (POC)

1. Organizer initializes a new Contest using proxyFactory, setting a near-immediate closeTime.

2. Moments later, the organizer executes the deployProxyAndDistributeByOwner function.

3. The contest concludes almost immediately, barring any late participants from joining or finalizing their entries.

Impact

• Participants could spend resources preparing for a contest only to find it closed prematurely.

• Sponsors, might transfer their funds after the contest has closed.

• Continuous misuse can erode trust in the platform, discouraging potential participants from joining future contests.

Tools Used

Manual review

Recommendations

1. Enforce a minimum closeTime, such as 3 days after contest creation, to ensure everyone gets a fair chance to participate and for the sponsors to fund the contest.

2. Notify all participants when a contest's closeTime is set or modified.