First Flight #16: Mafia Takedown

First Flight #16

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Any Malicious `GangMember` can withdraw other `GangMember` funds to `godFather` in `MoneyVault` burning their `CrimeMoney`

codexbugmenot

Description

The MoneyVault accepts no deposits and the withdrawls can only be amde to godFathers account but any Malicious GangMember can call withdraw on other GangMenber accounts and can withdraw funds to godFather's account

Impact

Any Malicous GangMember can burn other GangMember's CrimeMoney by calling withdrawl on their account to godFather.

Proof of Concept

Prerequisites: For the following test to work add a new address address caponeBege = makeAddr("Capone Bege"); in the Base.t.sol

PoC: Can Withdraw Others Balance To GodFather

function test_CanWithdrawOthersBalanceToGodFather() public {

vm.prank(godFather);

usdc.transfer(address(this), 100e6);

// balance of godfather after sending 100e6

uint256 godFatherBal1 = usdc.balanceOf(address(godFather));

usdc.approve(address(moneyShelf), 100e6);

//addtess(this) deposits 100e6 in MoneyShef

laundrette.depositTheCrimeMoneyInATM(address(this), address(this), 100e6);

assertEq(usdc.balanceOf(address(this)), 0);

assertEq(usdc.balanceOf(address(moneyShelf)), 100e6);

assertEq(crimeMoney.balanceOf(address(this)), 100e6);

moneyShelf.getAccountAmount(address(this));

//address(this) joins gang

joinGang(address(this));

// caponeBege joins gang

vm.prank(godFather);

laundrette.addToTheGang(caponeBege);

// Emergency Migration takes place here

EmergencyMigration migration = new EmergencyMigration();

(MoneyVault moneyVault, Emergency emergency) =

migration.migrate(kernel, usdc, crimeMoney, laundrette, moneyShelf);

//Malicious caponeBege even though has no balance withdraws 100e6 from address(this) to godFather , completely burning address(this)'s crimeMoney

vm.prank(caponeBege);

emergency.withdrawMoney(address(this), godFather, 100e6);

assertEq(usdc.balanceOf(address(godFather)), godFatherBal1 + 100e6);

assertEq(crimeMoney.balanceOf(address(this)), 0);

}

Recommended Mitigation

Add a check in MoneyVault::withdrawUSDC function to ensure that the msg.sender is godFather to mitigite the issue.

function withdrawUSDC(address account, address to, uint256 amount) external {

+ require(msg.sender == kernel.executor(), "MoneyVault: only GodFather can withdraw USDC");

require(to == kernel.executor(), "MoneyVault: only GodFather can receive USDC");

withdraw(account, amount);

crimeMoney.burn(account, amount);

usdc.transfer(to, amount);

}

Updates

Lead Judging Commences

n0kto Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

205

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.