Sparkn

Summary

A person who accidentally sends whitelisted tokens to a proxy contract will never get the full amount back because STADIUM_ADDRESS will always receive a portion of it.

Vulnerability Details

Consider the following:

• DAI has been whitelisted in ProxyFactory.sol

• Alice has a contest running, the prize pool is going to be 500K.

• Alice sends 500K to the calculated proxy address.

• All goes well, the contest is finished and Alice pays out the winners using deployProxyAndDistribute().

• Couple weeks after the contest, Alice wants to start another contest. This time she sends 500K DAI by accident to the previous proxy address.

• Alice decides to contact them team and they help her rescue the funds.

However, since the only way to rescue the funds is to use the _distribute() function in Distributor.sol, Alice will never get back the full 500K because a portion will always go to the STADIUM_ADDRESS.

Using the current config of the Distributor.sol, Alice would get back:

• 500000 / 10000 * 500 = 25000 DAI goes to STADIUM_ADDRESS.

• 500000 - 25000 = 475000 DAI goes to Alice.
  This means Alice will lose 25K DAI.

The team states in the README.md:
`There is a way to rescue the token stuck in the proxy contract after the deployment and distribution of prizes only when the token is whitelisted. If the token is not whitelisted, and then if someone sent the token by mistake, the token will be stuck there forever.
This doesn't hold up because the token stuck in the proxy address will never be fully rescued because of the reasons written above.

Impact

High

Tools Used

Manual Review

Recommendations

Implement an emergency withdraw function to get the tokens out of any proxy contract without the need to send tokens to STADIUM_ADDRESS.