First Flight #16: Mafia Takedown

First Flight #16

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Funds migrated to the Money Vault will be stuck

josh4324

Summary

The Laundrette contract does not include a withdrawal function for the funds held in the MoneyVault contract. This deficiency means that even if the migration from the MoneyShelf to the MoneyVault is successful and the funds are transferred properly, these funds will be inaccessible due to the lack of a withdrawal mechanism.

Vulnerability Details

The migration process from the MoneyShelf to the MoneyVault involves transferring funds to the MoneyVault contract. However, the Laundrette contract, which is supposed to manage the funds in the MoneyVault, does not have a function to withdraw these funds. As a result, any USDC successfully transferred to the MoneyVault during migration will be stuck, as there is no implemented method to retrieve or manage these funds within the Laundrette contract.

Proof of Concept

Godfather perform a migration from MoneyShelf to MoneyVault, transferring USDC funds to the MoneyVault contract.
GodFather attempt to withdraw USDC funds from the MoneyVault via the Laundrette contract.
Realize that there is no function in the Laundrette contract to perform this withdrawal.

Impact

The absence of a withdrawal function in the Laundrette contract leads to critical issues:

Funds Inaccessibility: USDC funds transferred to the MoneyVault are stuck and cannot be withdrawn or used.

Operational Inefficiency: The funds management process becomes significantly hampered due to the inability to access or use the funds.

Financial Loss: Stuck funds represent a financial loss as they are unusable and cannot serve their intended purpose.

Tools Used

Manual Review

Recommendations

Implement a Withdrawal Function for funds in the money vault in Laundrette: Add a function to the Laundrette contract to withdraw USDC from the MoneyVault.

// Example function to withdraw USDC from MoneyVault

function withdrawFromMoneyVault(uint256 amount, address to) external {

require(to != address(0), "Invalid address");

uint256 balance = usdc.balanceOf(moneyVaultAddress);

require(amount <= balance, "Insufficient balance in MoneyVault");

usdc.transferFrom(moneyVaultAddress, to, amount);

}

Updates

Lead Judging Commences

n0kto Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

Emergency migration leave the USDC

Rewards breakdown

nSLOC

205

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.