Submission Details
Severity:
H-01. Cannot withdraw funds after migration.
Summary
GodFather cannot withdraw funds after migration.
Vulnerability Details
After running the migration script the kernel executor does not match the GodFather address.
This makes withdrawing funds impossible from the MoneyVaultcontract even by GodFather.
Impact
Severely breaks the protocol functionality.
Tools Used
Manual review
Recommendations
Use kernel to set GodFather as the executor.
Prrod Of Concepts
Add the following test function to
test/EmergencyMigrationTest:
function test_cannoWithdrawAfterMigration() public {
// Setup gang with GodFather and a member
vm.deal(godFather, 1000e6);
vm.prank(godFather);
usdc.transfer(address(this), 400e6);
usdc.approve(godFather, 130e6);
address user = makeAddr("user");
joinGang(user);
// Prepare funds and let member deposit funds
vm.deal(user, 100e6);
vm.prank(user);
usdc.approve(address(moneyShelf), 100e6);
uint256 amountToDeposit = 5e6;
usdc.transfer(user, amountToDeposit);
laundrette.depositTheCrimeMoneyInATM(user, user, amountToDeposit);
// Run migration
EmergencyMigration migration = new EmergencyMigration();
MoneyVault moneyVault = migration.migrate(kernel, usdc, crimeMoney);
// GodFather attempts to withdraw the member's funds
vm.prank(godFather);
vm.expectRevert("MoneyVault: only GodFather can receive USDC");
moneyVault.withdrawUSDC(user, user, amountToDeposit);
}
Run
forge test --mt test_cannoWithdrawAfterMigration
Rewards breakdown
nSLOC
205This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.