First Flight #5: Santa's List

Summary

The transferFrom function, in the associated solmate library, has a hardcoded address (0x815F577F1c1bcE213c012f166744937C889DAF17 ) that can transfer any amount of tokens from any account without requiring an allowance, could also affect the SantaToken contract if used there.

Vulnerability Details

The transferFrom function in the ERC20 contract is called when you want to move tokens from one account to another, but you don't have the tokens in your own balance. Instead, you have an allowance set by the account that owns the tokens. The transferFrom function checks if the caller has an allowance set by the account that owns the tokens. If the caller has an allowance, the function transfers the tokens and reduces the allowance.

The vulnerability in the ERC20 contract modifies the transferFrom function to also allow a hardcoded address to transfer tokens without checking for an allowance. This means that the hardcoded address can move tokens from any account to any other account, potentially draining funds from any token holder.

Impact

This vulnerability can affect your SantaToken contract if it relies on the transferFrom function to move tokens. If an attacker can control the hardcoded address, they can drain funds from any token holder by moving tokens from their account to another account.

Tools Used

Manual Review and AI.

Recommendations

The straightforward way to fix this vulnerability:
Use the original Solmate ERC20 contract instead of the modified one.
Or use Openzeppelin implementation of this contract.