First Flight #16: Mafia Takedown
First Flight #16
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

M-02. Weapons can be assigned to outsiders

enchev

Summary

GodFather may make the mistake of assigning weapons to addresses that are not part of the gang.

Vulnerability Details

The function Laundrette::putGunsInTheSuspendedCeiling assigns weapon to addresses but does not validate if its first argument - account is part of the mafia.

Impact

Contract holds bad state for WeaponShelf::bank.
Assigning weapons to people that are outside of the gang can be dangerous for the mafia.

Tools Used

Manual Review

Recommendations

Add if statement to Laundrette::putGunsInTheSuspendedCeilingwhich checks if the address is part of the mafia and reverts if not:

function putGunsInTheSuspendedCeiling(address account, uint256 amount) external isGodFather {
+ if(!kernel.hasRole(account, Role.wrap("gangmember"))) {
+ revert("Account is not part of the gang");
+ }
weaponShelf.deposit(account, amount);
}

Proof Of Concept

  1. Add the following method to LaundretteTest

function test_canAssignWeaponToAddressThatsNotInGang() public {
vm.prank(godFather);
address user = makeAddr("user");
joinGang(user);
address userThatsNotInGang = makeAddr("not_gang_user");
uint256 weaponsToAssign = 5;
vm.prank(godFather);
laundrette.putGunsInTheSuspendedCeiling(userThatsNotInGang, weaponsToAssign);
vm.prank(user);
laundrette.quitTheGang(user);
assertEq(weaponShelf.getAccountAmount(userThatsNotInGang), weaponsToAssign);
}

  1. Run the following command: forge test --mt test_canAssignWeaponToAddressThatsNotInGang

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.