USDC Stuck in MoneyVault Contract Due to Missing Withdrawal Function
Summary
The MoneyVault contract lacks a comprehensive withdrawal function capable of handling USDC funds sent directly to the contract. This issue can result in USDC being stuck in the contract without a way to retrieve or utilize these funds effectively.
Vulnerability Details
The MoneyVault contract is designed to manage USDC funds for users and gang members. However, it does not provide a withdrawal mechanism that can handle USDC sent directly to the contract through the standard transfer method. This oversight means that any USDC transferred to the contract address cannot be withdrawn or managed, effectively rendering these funds inaccessible.
Proof of Concept
A user or gang member transfers USDC directly to the MoneyVault contract using the USDC transfer method.
The USDC tokens are successfully transferred to the contract address.
The contract does not provide a function to withdraw or handle these funds, causing them to be stuck.
Impact
The inability to withdraw directly transferred USDC can lead to several critical issues:
Funds Inaccessibility: USDC funds transferred directly to the contract are stuck and cannot be retrieved or utilized.
Operational Inefficiency: Users and administrators may face significant difficulties in managing and accessing funds within the contract.
Financial Loss: Stuck funds represent a financial loss, as they are unusable for any intended purpose.
Tools Used
Manual Review
Recommendations
Implement a Comprehensive Withdrawal Function: Add a function to the MoneyVault contract that can handle the withdrawal of USDC funds, including those sent directly to the contract.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.