First Flight #16: Mafia Takedown

Summary

The vulnerability lies in the access control of the laundrette contract, specifically in the functions laundrette::withdrawMoney, laundrette::takeGuns,laundrette::addToTheGang . These functions use the onlyRole("gangmember") modifier, which restricts their access to users with the "gangmember" role. However, if the GodFather (the primary authority figure in the contract) loses the "gangmember" role, they will be unable to access these critical functions, potentially leading to a significant loss of control and functionality within the contract.

Vulnerability Details

The laundrette contract employs role-based access control to restrict access to specific functions. Despite the isAuthorizedOrRevert check, the function still requires the caller to have the "gangmember" role, creating a dependency that could restrict the GodFather's ability to execute critical functions if they lose this role.

Impact

The primary impact of this vulnerability is the potential loss of control by the GodFather over essential contract functions. If the GodFather's "gangmember" role is revoked, intentionally or unintentionally, the following critical functionalities will be affected:

• Financial Transactions: The GodFather will be unable to withdraw money, leading to potential financial losses or inability to access funds when needed.

• Resource Management: The GodFather will be unable to manage weapons, which could affect the contract's operational capabilities.

• Membership Management: The GodFather will be unable to add new members to the gang, affecting the growth and management of the organization.
  This vulnerability undermines the GodFather's authority and could lead to significant disruptions in the contract's operations.

Tools Used

Manual review

Recommendations

Remove the account parameter siunce we check anyway if it is the msg sender and create a new modifier to check if msg.sender has either role or is godfather.