`depositTheCrimeMoneyInATM` allows other person to front-run the actual user's deposit txn and pass their own `to` address to get Crime Money
Summary
The depositTheCrimeMoneyInATM allows anyone to deposit their USDC and mints Crime Money.
The depositor is first expected to approve usdc to the money shelf and then call depositTheCrimeMoneyInATM with the approver address in the argument due to this kind of implementation it will allow others to mint their Crime Money to their own address by front-running their txn.
Vulnerability Details
The vulnerability is present in the depositTheCrimeMoneyInATM function where it takes the depositor account address as an argument. The account which is passed is first expected to approve the Money Shelf and then call the deposit function.
But this allows frontrunner to watch that person's approve txn, and just after they approve, the attacker can trigger deposit with account parameter as that person's address and to as their own address to mint Crime Money.
Impact
Allows minting of Crime Money by front-running other user's deposit txn.
Tools Used
Manual Review
Recommendations
Instead of making depositor pass their account as argument, use account as msg.sender
Lead Judging Commences
Arbitrary account deposit, steal approval
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.