USDC can be deposited into the MoneyVault contract
Summary
The documentation states that no one can deposit USDC into the MoneyVault contract directly. However, it appears that users and gang members can transfer USDC into the contract using the standard transfer method.
Vulnerability Details
The MoneyVault contract is designed to restrict direct deposits of USDC, presumably to control how funds are managed and to enforce specific business logic. However, the implementation allows users and gang members to send USDC to the contract using the transfer method, bypassing any restrictions imposed by the deposit logic. This inconsistency creates a loophole where funds can be added to the contract in a manner not intended by the developers.
Impact
This inconsistency can lead to several issues:
Unauthorized Deposits: Funds can be added to the contract in an uncontrolled manner, potentially leading to accounting discrepancies.
Security Risks: Bypassing the intended deposit mechanism might expose the contract to unforeseen vulnerabilities.
Operational Confusion: Users and developers might be confused about the correct way to deposit funds, leading to misuse of the contract.
Proof of Concept
A user or gang member calls the transfer method on the USDC contract, specifying the MoneyVault contract as the recipient.
The USDC tokens are successfully transferred to the MoneyVault contract, bypassing any deposit restrictions.
Proof of Code
Tools Used
Manual Review
Recommendations
Update the documentation to inform users not to send usdc directly to the money vault contract
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.