Submission Details
Severity:
Funds are stuck in MoneyVault contract after migration
Description
Since the MoneyVault smart contract is a Shelf contract, it has all user balances set to zero. Consequently, the MoneyVault::withdrawUSDC function will always revert due to insufficient bank balance, making the funds permanently inaccessible.
function withdrawUSDC(address account, address to, uint256 amount) external {
require(to == kernel.executor(), "MoneyVault: only GodFather can receive USDC");
withdraw(account, amount);
crimeMoney.burn(account, amount);
usdc.transfer(to, amount);
}
Impact
Funds are inaccessible after migration
Recommendation
You don't have to apply the Shelf withdrawal logic; instead, you can directly burn the CrimeMoney tokens and transfer the USDC.
function withdrawUSDC(address account, address to, uint256 amount) external {
require(to == kernel.executor(), "MoneyVault: only GodFather can receive USDC");
- withdraw(account, amount);
crimeMoney.burn(account, amount);
usdc.transfer(to, amount);
}
Updates
Lead Judging Commences
n0kto about 1 year ago
Submission Judgement Published Assigned finding tags:
Transfer CrimeMoney break the protocol/bad account tracking
Rewards breakdown
nSLOC
205This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.