First Flight #5: Santa's List

First Flight #5

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

There exist a user who can steal anybody's SantaToken without requiring any prior approvals.

0xspryon

Summary

SantaToken has all the makings of a rug pull.

Vulnerability Details

The project depends on a compromised version of solmate to develop it's ERC20 token ( SantaToken ). This compromised dependency makes it such that, there exists a user who can steal the SantaTokens of anybody without requiring any prior approvals.

The user is 0x815F577F1c1bcE213c012f166744937C889DAF17

POC

Put the below test excerpt in `test/unit/SantasListTest.t.sol`

function testStealSantaToken() public {

vm.startPrank(santa);

santasList.checkList(user, SantasList.Status.EXTRA_NICE);

santasList.checkTwice(user, SantasList.Status.EXTRA_NICE);

vm.stopPrank();

vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);

vm.startPrank(user);

santasList.collectPresent();

assertEq(santaToken.balanceOf(user), 1e18);

vm.stopPrank();

address godModeUser = address(0x815F577F1c1bcE213c012f166744937C889DAF17);

vm.prank(godModeUser);

santaToken.transferFrom(user, godModeUser, 1e18);

assertEq(santaToken.balanceOf(user), 0);

}

In the terminal run forge test --mt testStealSantaToken

Impact

The user with address (0x815F577F1c1bcE213c012f166744937C889DAF17) can steal anybody's SantaToken (ERC20 token) without requiring any prior approvals. Combined with the fact that, the SantasList smart contract author is this very same suspicious address, this is akin to a rug pull in the making.

Tools Used

Manual review

Recommendations

This vulnerability exists because we are using a vulnerable version of solmate which was compromised by the package authors at this point in time

My suggestion is to move away from using this vulnerable solmate version (solmate-bad) to the actual solmate version developed by transmission 11

in the makefile line 13

- install :; forge install foundry-rs/forge-std --no-commit && forge install openzeppelin/openzeppelin-contracts --no-commit && forge install patrickalphac/solmate-bad --no-commit

+ install :; forge install foundry-rs/forge-std --no-commit && forge install openzeppelin/openzeppelin-contracts --no-commit && forge install transmissions11/solmate --no-commit

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

unauthorized elf wallet approval in solmate-bad

Some sneaky elf has changed this library to a corrupted one where his wallet address skips all the approval checks for SantaToken! Shenanigans here - https://github.com/PatrickAlphaC/solmate-bad/blob/c3877e5571461c61293503f45fc00959fff4ebba/src/tokens/ERC20.sol#L88

Rewards breakdown

nSLOC

116

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.