First Flight #16: Mafia Takedown

First Flight #16

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Insecure Deposit Function Allowing Arbitrary Account Specification

0xdoko

Summary

A vulnerability was found in the depositTheCrimeMoneyInATM function of the Laundrette smart contract, where the function allows deposits on behalf of any account without verification, potentially leading to misuse and unauthorized actions.

Vulnerability Details

The depositTheCrimeMoneyInATM function is designed to facilitate deposits of USDC into the moneyShelf module. The function takes three parameters: account, to, and amount. The current implementation allows the account parameter to be specified by the caller without any checks or restrictions:

function depositTheCrimeMoneyInATM(address account, address to, uint256 amount) external {

moneyShelf.depositUSDC(account, to, amount);

}

In this implementation, the account parameter is used directly in the moneyShelf.depositUSDC call, which means that any caller can specify any account for depositing funds. This can lead to potential misuse where unauthorized users can deposit funds on behalf of others, possibly causing tracking issues and unauthorized activities.

Impact

The main impacts of this vulnerability are:

Unauthorized Deposits: Any user can deposit USDC on behalf of another user without their consent, leading to potential misuse.
Accountability Issues: Tracking the actual source of deposits becomes challenging as the actual depositor is not verified.
Potential Exploits: Malicious actors could exploit this behavior to manipulate account balances, possibly leading to further financial discrepancies or unauthorized financial actions.

Tools Used

Manual code review

Recommendations

To mitigate this vulnerability, the function should be modified to use msg.sender as the depositor, ensuring that only the caller can deposit on their behalf. The corrected implementation should be:

function depositTheCrimeMoneyInATM(address to, uint256 amount) external {

moneyShelf.depositUSDC(msg.sender, to, amount);

}

This modification ensures that the account parameter is always the address of the caller (msg.sender), thereby preventing unauthorized users from depositing on behalf of other accounts.

Corrected Function

function depositTheCrimeMoneyInATM(address to, uint256 amount) external {

moneyShelf.depositUSDC(msg.sender, to, amount);

}

By implementing this change, the function will maintain the integrity of deposit actions, ensuring that only authorized users can deposit USDC on their own behalf, thus improving the security and reliability of the Laundrette smart contract.

Updates

Lead Judging Commences

n0kto Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

205

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!