Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

There is no validation that signature is reused in `ProxyFactory.deployProxyAndDistributeBySignature`

SanketKogekar

Summary

Signature replay in ProxyFactory.deployProxyAndDistributeBySignature can steal accidentally added funds.

Vulnerability Details

In case funds are re-added to Distributor contract, then malicious winner can use same params passed to this function, and re-gain the rewards which he earned.

Signatures can be stored in mapping to avoid reuse, and this function does not consider signature replay.

function deployProxyAndDistributeBySignature(
address organizer,
bytes32 contestId,
address implementation,
bytes calldata signature,
bytes calldata data
) public returns (address) {
bytes32 digest = _hashTypedDataV4(keccak256(abi.encode(contestId, data)));
if (ECDSA.recover(digest, signature) != organizer) revert ProxyFactory__InvalidSignature();
bytes32 salt = _calculateSalt(organizer, contestId, implementation);
if (saltToCloseTime[salt] == 0) revert ProxyFactory__ContestIsNotRegistered();
if (saltToCloseTime[salt] > block.timestamp) revert ProxyFactory__ContestIsNotClosed();
address proxy = _deployProxy(organizer, contestId, implementation);
_distribute(proxy, data);
return proxy;
}

Impact

Winners can frontrun and steal tokens accidentally transferred tokens.

Tools Used

Manual

Recommendations

Please check:
https://ethereum.stackexchange.com/questions/136224/how-to-use-nonce-to-prevent-signature-replication

And the first issue on:
https://dacian.me/signature-replay-attacks#heading-missing-nonce-replay

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.