Sparkn

Summary

deployProxyAndDistributeByOwner inherits the same vulnerabilities, risks fund locking even when the owner intervenes. Adding a safe address where all the funds can go to when things go wrong would solve this.

Vulnerability Details

As reported in other submits, a lot of things can go wrong when distributing the prize, so when there is a problem with the executor that he cannot distribute the prizes himself after a few days the owner can do it himself by calling deployProxyAndDistributeByOwner, the problem is that even if the owner do this he still will have to face the same vulnerabilities the executor had to go through. I understand that the prize cannot be refunded to the sponsor or the executor but it would better if there was an option to at least send the funds to a trusted place when things go wrong, because they probably will sometime and the funds would be stuck even if the owner used the deployProxyAndDistributeByOwner.

Impact

The function deployProxyAndDistributeByOwner might not save the funds from getting locked, it only saves if the problem is the executor.

Tools Used

Manual review

Recommendations

Create a function that is able to send all the funds from the contest being dealt with to somewhere safe where later it can be correctly sent to winners. The way the deployProxyAndDistributeByOwner is structured at the moment the funds would be locked even for the owner and hence lost. The new function goal is only to retrieve the lost/stuck funds.