You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current implementation of the setContest function restricts the creation of contests to the owner, whereas the documentation suggests that organizers should have the ability to create contests.
Vulnerability Details
In the code for the contract ProxyFactory.sol, the setContest function, access control is limited to only the owner. This is contrary to the documented functionality where organizers are expected to create contests. The code includes the onlyOwner modifier, which prevents organizers from setting contest properties.
According to the documentation:
There are mainly 3 roles in the protocol.
Organizer: The person who creates the contest and he is responsible for distributing the prizes to the winners. We also sometimes call this role "innovator".
Sponsor: the person who is willing to fund the contest. Sponsor can be anyone include the organizer.
Supporter: the person who is willing to help solve the problem. Winners are selected from the supporters.
Owner: The administrator of the protocol.
Impact
The impact of this issue is that it limits the protocol's intended flexibility. Organizers, who are supposed to have the capability to create contests, are currently unable to do so. This misalignment between the code and the documentation can lead to confusion and hinder the expected usage of the protocol.
Tools Used
Manual Review
Recommendations
To align the code with the documented functionality and allow organizers to create contests.
The text was updated successfully, but these errors were encountered:
known issue: "Owner is in charge of some of the key functions of the protocol. Owner's centralization risk is not an issue to be considered this time."
known issue: "Owner is in charge of some of the key functions of the protocol. Owner's centralization risk is not an issue to be considered this time."
Organizer's Access Limitation in
setContest
functionSeverity
High Risk
Relevant GitHub Links
2023-08-sparkn/src/ProxyFactory.sol
Lines 105 to 117 in 0f139b2
Summary
The current implementation of the
setContest
function restricts the creation of contests to the owner, whereas the documentation suggests that organizers should have the ability to create contests.Vulnerability Details
In the code for the contract
ProxyFactory.sol
, thesetContest
function, access control is limited to only the owner. This is contrary to the documented functionality where organizers are expected to create contests. The code includes theonlyOwner
modifier, which prevents organizers from setting contest properties.According to the documentation:
There are mainly 3 roles in the protocol.
Organizer: The person who creates the contest and he is responsible for distributing the prizes to the winners. We also sometimes call this role "innovator".
Sponsor: the person who is willing to fund the contest. Sponsor can be anyone include the organizer
.Supporter: the person who is willing to help solve the problem. Winners are selected from the supporters.
Owner: The administrator of the protocol.
Impact
The impact of this issue is that it limits the protocol's intended flexibility. Organizers, who are supposed to have the capability to create contests, are currently unable to do so. This misalignment between the code and the documentation can lead to confusion and hinder the expected usage of the protocol.
Tools Used
Manual Review
Recommendations
To align the code with the documented functionality and allow organizers to create contests.
The text was updated successfully, but these errors were encountered: