First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Backdoor in the ERC20 implementation

kaiziron

Summary

SantaToken is inheriting from a backdoored ERC20 implementation

Vulnerability Details

SantaToken is inheriting from a backdoored ERC20 implementation, it allows this address (0x815F577F1c1bcE213c012f166744937C889DAF17) to use transferFrom() without the sender's approval

Impact

This address (0x815F577F1c1bcE213c012f166744937C889DAF17) can use the backdoor to transfer anyone's token without their approval, steal tokens from anyone he want

PoC

function testBackdoor() public {
address victim = makeAddr("victim");
deal(address(santaToken), victim, 1 ether);
assertEq(santaToken.balanceOf(victim), 1 ether);
vm.startPrank(0x815F577F1c1bcE213c012f166744937C889DAF17);
santaToken.transferFrom(victim, 0x815F577F1c1bcE213c012f166744937C889DAF17, 1 ether);
vm.stopPrank();
assertEq(santaToken.balanceOf(0x815F577F1c1bcE213c012f166744937C889DAF17), 1 ether);
assertEq(santaToken.balanceOf(victim), 0 ether);
}

Tools Used

Manual review

Recommendations

Remove the backdoor, and use the official solmate ERC20 implementation

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

unauthorized elf wallet approval in solmate-bad

Some sneaky elf has changed this library to a corrupted one where his wallet address skips all the approval checks for SantaToken! Shenanigans here - https://github.com/PatrickAlphaC/solmate-bad/blob/c3877e5571461c61293503f45fc00959fff4ebba/src/tokens/ERC20.sol#L88

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.