Sparkn

Summary

The Proxy contract is deployed and then rewards are distributed in the same function call, but if any of the scenarios listed above distributeByOwner() inside ProxyFactory.sol occur, then all the rewards can be stolen.

and/or

The deployProxyAndDistributeBySignature() function allows users to deploy the proxy and distribute funds on behalf of the organizer.

Vulnerability Details

If for any reason a Proxy contract is deployed, but funds are not distributed correctly, the rewards can be stolen before the owner is even allowed to call distributeByOwner(), (7 day expiration time). All a malicious user would have to do, is to call Proxy with calldata that makes their address the winner and give themselves the entire available percentage, at current 95% since 5% is taken by the protocol as a fee.

Or even if the Proxy isn't deployed, deployProxyAndDistributeBySignature() could be abused.

Impact

Direct loss of funds.

Tools Used

Manual review

Recommendations

As with most exploits, there are many different band-aids you can apply. One simple fix would be to implement a balanceOf() check before and after the _distribute() call is made, if the Proxy balance remains unchanged or not all the rewards were disbursed, then the transaction should revert.

And/or

Use msg.sender inside deployProxyAndDistributeBySignature() in combination with a whitelist mechanism that allows organizers to approve other users to deploy proxies on their behalf.