First Flight #9: Soulmate
First Flight #9
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Vault.initVault(ILoveToken loveToken, address managerContract) can be frontrun

Ritos

Summary

Vault.initVault(ILoveToken loveToken, address managerContract) can be frontrun

Vulnerability Details

In 2 contracts Vault (one for airdrop and one for staking)
function initVault(ILoveToken loveToken, address managerContract) can be frontrun by malicious user which leads to stolen all funds from loveToken contract.

POC

1 Solmate team deploy LoveToken contract.
2 Solmate team deploy Vault for airdrop or staking.
3 Solmate team calls initVault(ILoveToken loveToken, address managerContract).
4 Attacker is constantly scanning the mempool for initVault(ILoveToken loveToken, address managerContract) function calls.
5 Attacker detects a initVault(ILoveToken loveToken, address managerContract) function call in the mempool.
6 Attacker frontruns the initVault(ILoveToken loveToken, address managerContract) call with the LoveToken address as loveToken input parameter and his address as a managerContract input parameter.
7 Attacker calls LoveToken.transferFrom with:

  • from input parameter equal Vault address,

  • to input parameter equal address controlled by the attacker,

  • amount input parameter equal 500_000_000 ether.

Tools Used

Manual review.

Recommendations

Implement access control for Vault.initVault(ILoveToken loveToken, address managerContract) to ensure only the relevant deployer can call Vault.initVault(ILoveToken loveToken, address managerContract).

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.