Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Organizer's Access Limitation in setContest function #569

Closed
codehawks-bot opened this issue Aug 29, 2023 · 3 comments
Closed

Organizer's Access Limitation in setContest function #569

codehawks-bot opened this issue Aug 29, 2023 · 3 comments
Labels

Comments

@codehawks-bot
Copy link

Organizer's Access Limitation in setContest function

Severity

High Risk

Relevant GitHub Links

function setContest(address organizer, bytes32 contestId, uint256 closeTime, address implementation)
public
onlyOwner
{
if (organizer == address(0) || implementation == address(0)) revert ProxyFactory__NoZeroAddress();
if (closeTime > block.timestamp + MAX_CONTEST_PERIOD || closeTime < block.timestamp) {
revert ProxyFactory__CloseTimeNotInRange();
}
bytes32 salt = _calculateSalt(organizer, contestId, implementation);
if (saltToCloseTime[salt] != 0) revert ProxyFactory__ContestIsAlreadyRegistered();
saltToCloseTime[salt] = closeTime;
emit SetContest(organizer, contestId, closeTime, implementation);
}

Summary

The current implementation of the setContest function restricts the creation of contests to the owner, whereas the documentation suggests that organizers should have the ability to create contests.

Vulnerability Details

In the code for the contract ProxyFactory.sol, the setContest function, access control is limited to only the owner. This is contrary to the documented functionality where organizers are expected to create contests. The code includes the onlyOwner modifier, which prevents organizers from setting contest properties.

According to the documentation:

There are mainly 3 roles in the protocol.

Organizer: The person who creates the contest and he is responsible for distributing the prizes to the winners. We also sometimes call this role "innovator".

Sponsor: the person who is willing to fund the contest. Sponsor can be anyone include the organizer.

Supporter: the person who is willing to help solve the problem. Winners are selected from the supporters.

Owner: The administrator of the protocol.

Impact

The impact of this issue is that it limits the protocol's intended flexibility. Organizers, who are supposed to have the capability to create contests, are currently unable to do so. This misalignment between the code and the documentation can lead to confusion and hinder the expected usage of the protocol.

Tools Used

Manual Review

Recommendations

To align the code with the documented functionality and allow organizers to create contests.

@PatrickAlphaC
Copy link
Member

known issue: "Owner is in charge of some of the key functions of the protocol. Owner's centralization risk is not an issue to be considered this time."

@ghost
Copy link

ghost commented Sep 8, 2023

known issue: "Owner is in charge of some of the key functions of the protocol. Owner's centralization risk is not an issue to be considered this time."

escalate

it was not mentioned before

@PatrickAlphaC
Copy link
Member

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants