Submission Details
Severity:
The `distributeByOwner` lock period can be bypassed
Summary
Even if the lock period does not pass, the owner can bypass the lock period and call distributeByOwner.
Vulnerability Details
Since it is not checked whether the proxy parameter is a proxy address using this salt, by using organizer, contestId, implementation of contest which already passed lock period, owner can bypass lock period.
function distributeByOwner(
address proxy,
address organizer,
bytes32 contestId,
address implementation,
bytes calldata data
) public onlyOwner {
if (proxy == address(0)) revert ProxyFactory__ProxyAddressCannotBeZero();
bytes32 salt = _calculateSalt(organizer, contestId, implementation);
if (saltToCloseTime[salt] == 0) revert ProxyFactory__ContestIsNotRegistered();
// distribute only when it exists and expired
if (saltToCloseTime[salt] + EXPIRATION_TIME > block.timestamp) revert ProxyFactory__ContestIsNotExpired();
_distribute(proxy, data);
}
Impact
The owner can bypass the lock period and distribute the prize
Tools Used
vscode
Recommendations
Check if proxy is actually made by the salt
function distributeByOwner(
address proxy,
address organizer,
bytes32 contestId,
address implementation,
bytes calldata data
) public onlyOwner {
if (proxy == address(0)) revert ProxyFactory__ProxyAddressCannotBeZero();
bytes32 salt = _calculateSalt(organizer, contestId, implementation);
if (saltToCloseTime[salt] == 0) revert ProxyFactory__ContestIsNotRegistered();
// distribute only when it exists and expired
if (saltToCloseTime[salt] + EXPIRATION_TIME > block.timestamp) revert ProxyFactory__ContestIsNotExpired();
+ require(getProxyAddress(salt, implementation) == proxy);
_distribute(proxy, data);
}
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
19477 USDC / LOC
14,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.