Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Duplicate Winners Exploit in _distribute Function

tsar

Summary

The _distribute function does not check if any of the winners are present more than once.

Vulnerability Details

The organizer can easily either do it on purpose to game the system or by mistake adding more than one of the same address to the array when calling the distribute function and sending the winners and the percentage.

Impact

It opens up to a gamefication of the system, since not only the same address can be used multiple times but it can also take more out of the prize since each time the same address appears it gains another piece of the prize.

Tools Used

Manual

Recommendations

Check if the winner already exists for the contest.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.