Hacking Life

Audit Report Review-Sparkn

Introduction

I recently participated in my first Smart Contract Contest called Sparkn Contest and was fortunate enough to find 1H and 2L findings which helped me place 18th. The codebase is small and would be a great opportunity for a new auditor.

image

Protocol Introduction

Sparkn has excellent documentation and diagrams. The Sparkn protocol is a Web3 open market for sponsors, organizers, and supporters. Here are the definitions of each role:

  • Organizer: The person who creates the contest and is responsible for distributing the prizes to the winners. This role is sometimes referred to as the “innovator.”
  • Sponsor: The person who is willing to fund the contest. The sponsor can be anyone, including the organizer.
  • Supporter: The person who is willing to help solve the problem. The winners are selected from the supporters.
  • Owner: The administrator of the protocol.

The use case is pretty straightforward:

  1. The protocol owner sets up a new contest with a close time using the function setContest(address organizer, bytes32 contestId, uint256 closeTime, address implementation).
  2. Sponsors get a proxy address and send tokens to it using the function getProxyAddress(bytes32 salt, address implementation) public view returns (address proxy).
  3. After the close time, call the proxyFactory to deploy proxy contract and trigger tokens distribute:
    • Organizer calls function deployProxyAndDistribute(bytes32 contestId, address implementation, bytes calldata data)
    • Deploy and distribute on behalf of organizer function deployProxyAndDistributeBySignature(address organizer, bytes32 contestId, address implementation, bytes calldata signature, bytes calldata data)
    • Protocol owner calls when contest is expired: function deployProxyAndDistributeByOwner(address organizer, bytes32 contestId, address implementation, bytes calldata data)

My findings

  1. H-01. Unauthorized Contract Deployment and Bonus Manipulation via Signature Reuse https://github.com/Cyfrin/2023-08-sparkn/issues/403

  2. L-01. Lack of Valid Address Validation in distribute Function
    https://github.com/Cyfrin/2023-08-sparkn/issues/402

  3. L-02. fairness concerns in token distribution corner case
    https://github.com/Cyfrin/2023-08-sparkn/issues/401

Review

Positives

  • I showed enough patience with this contest even though the contest specification was not that clear. It felt like a Web2 and Web3 mixed protocol, but I always had faith that “there is still another one to dig.”
  • Enhance my comprehension of the system’s architecture by regularly sketching diagrams.

Negatives

  • I made mistakes on some findings that I thought were not allowed to happen and should be restricted off-chain. This caused me to miss findings such as organizer can reclaim funds from sponsors and duplicated winner address check. In the future, I will ask the protocol owner to clarify my concerns.
  • I did not dive deep into some aspects that I was not familiar with, such as EIP-721. Although it was a medium finding, it received the highest reward. During the contest, an auditor should never ignore any potential vulnerabilities, especially in unfamiliar aspects.
comments powered by Disqus