First Flight #16: Mafia Takedown
First Flight #16
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

External users can receive and send crimeMoney

josh4324

Summary

According to the documentation, only gang members and the godfather are authorized to transfer crime money. However, there is a critical flaw in the implementation that allows external users to receive and transfer crime money

Vulnerability Details

Function: Crime Money Transfer Functions

Issue: Unauthorized Access

  1. The current implementation does not restrict crime money transfers exclusively to gang members and the godfather.

  2. External users are able to receive and transfer crime money, contrary to the documented permissions.

Impact

Unauthorized Transactions: Unauthorized users can engage in crime money transactions, which may lead to misuse or theft of funds.

Proof of Code

function test_deposit2() public {
address add1 = makeAddr("add1");
address add2 = makeAddr("add2");
address add3 = makeAddr("add3");
vm.prank(godFather);
laundrette.addToTheGang(add1);
vm.prank(godFather);
laundrette.addToTheGang(add2);
vm.prank(godFather);
usdc.transfer(add1, 100e6);
vm.prank(godFather);
usdc.transfer(add2, 100e6);
vm.prank(add1);
usdc.approve(address(moneyShelf), 100e6);
vm.prank(add2);
usdc.approve(address(moneyShelf), 100e6);
vm.prank(add2);
laundrette.depositTheCrimeMoneyInATM(add2, add2, 100e6);
vm.prank(add1);
laundrette.depositTheCrimeMoneyInATM(add1, add1, 100e6);
vm.prank(add2);
crimeMoney.transfer(add3, 100e6);
vm.prank(add3);
crimeMoney.transfer(add2, 100e6);
}

Tools Used

Manual Review

Recommendations

Implement Access Control: Ensure that only gang members and the godfather can transfer crime money by implementing proper access control mechanisms.

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.