Sparkn

Summary

ProxyFactory.deployProxyAndDistributeBySignature is vulnerable to getting front-ran as it lacks proper checks.

Vulnerability Details

The function takes following parameters -

• organizer - address of the organizer

• contestId - bytes32 representing the contest's id

• implementation - address of the implementation contract

• signature - signature of the organizer

• data - data that will be passed to the proxy and then to the implementation contract, it has winners and their percentage of winning amount

The function assumes to be called only by the organizer with their signature. However, when the signature is exposed in the mempool it can be used by front-running bots with manipulated data to benefit only the attacker.

Attack Scenario

• Alice is the organizer and she calls this function with all necessary arguments with likely data being

  abi.encodeWithSelector(Distributor.distribute.selector, tokenAddress, [<BobAddress>, <JonAddress>], [<BobPercentage>, <JonPercentage>]);

• the front running bot sees the function being called and uses the provided signature with other parameters and sends function with following data

  abi.encodeWithSelector(Distributor.distribute.selector, tokenAddress, [<HackerAddress>], [<HackerPercentage>]);

• as this particular function fails to check whether the msg.sender is actually the organizer or not.

• the function will proceed and it will be the HackerAddress taking all the rewards.

Impact

Intended winners will not get any rewards

Tools Used

Manual Review

Recommendations

• Add necessary checks to ensure only suitable organizer can call this function.

• The following check can be improved to check whether the recovered address is msg.sender or not

  if (ECDSA.recover(digest, signature) != organizer) revert ProxyFactory__InvalidSignature(); //remove

  ​

  if (msg.sender != organizer) revert ProxyFactory__InvalidSignature(); // recommended way

  if (ECDSA.recover(digest, signature) != msg.sender) revert ProxyFactory__InvalidSignature();