DittoETH

Ditto
DeFiFoundryOracle
55,000 USDC
View results
Submission Details
Severity: high
Invalid

Detect when msg.sender is not used as from in transferFrom.

Summary

msg.sender is not used as from in transferFrom.

Vulnerability Details

This vulnerability is related to the depositand 'withdraw' function lines 56-67 and 84-96 where the transferFrom method is used. The transferFrom method is designed to move tokens from a specific address to another. However, in this case, the from address is provided as an argument to the deposit'withdraw' function and not necessarily the msg.sender. This means that a malicious actor could potentially call the deposit 'withdraw' function with another user's address as the from argument, leading to unauthorized token transfers. This vulnerability could be exploited if the from address has approved the contract to spend tokens on its behalf. The contract does not validate if msg.sender is the same as the from address, which is a security risk.

Tools Used

Manual

Recommendations

To resolve this issue, you should add a check to ensure that the msg.sender is the same as the from address. This will prevent unauthorized token transfers. Here is how you can modify the deposit function:

function deposit(address from, uint256 amount)
external
onlyDiamond
returns (uint256)
{
require(msg.sender == from, "Sender must be the from address");
IRocketTokenRETH rocketETHToken = _getRethContract();
rocketETHToken.transferFrom(from, address(this), amount);
return rocketETHToken.getEthValue(amount);
}

This modification adds a require statement that will revert the transaction if the msg.sender is not the same as the from address. This ensures that only the address that owns the tokens can initiate the transfer.

Updates

Lead Judging Commences

0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.