https://github.com/Cyfrin/2024-02-soulmate/blob/main/src/Vault.sol#27-32
Lack of access control will cause to attacker claiming all the tokens
In Vault
contract, there is initVault
function, which takes loveToken
and manager
as input to initialize the vault. It will be used to be handle airdrop and staking rewards. (by deploying twice, one for staking rewards and other for airdrop).
Here is the function --
If you check the highlighted line, the function is public, which means can be called by anyone. Attacker can monitor the mempool and call the initVault before owner to get tokens to himself. Once vault is initialized, no one can update the variables.
When vault is initialized, Here is what happens -
500_000_000
love tokens minted to each vault, then vault tokens are approved to the manager
, here manager is an input, which is in attacker control.
So he will input his address as manager and will be able to drain all the tokens from the vaults.
In existing BaseTest.t.sol
remove or comment out following lines from setUp
then create a following test function.
When you run the following command in your terminal forge test --mt testTokenDrainIfVaultInitializedByAttacker -vv
, it will return following logs
It's recommended to restrict this function to be called by only owner.
Loss of love tokens, that are supposed to be given as airdrop and staking rewards.
Manual Review
Here are few recommendations, which can be implemented -
using a if block, so it can be called by only Owner.
The contest is live. Earn rewards by submitting a finding.
Submissions are being reviewed by the community.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.