Summary

The external users are only allowed to call view functions and deposit USDC but due to no checks on transfer function in CrimeMoney they can freely transfer the CrimeMoney, thus disrupts the conditions mentioned by the protocol.

Also, gang members should also not be allowed to transfer CrimeMoney to external users but no check in CrimeMoney token contract will allow them to transfer to external users.

Along with that a user transferring the Crime Money to another user will make the withdrawal of USDC by God Father to suffer from DoS due to the lost accounting in Money Shelf.

Vulnerability Details

• The vulnerability is present in the CrimeMoney contract where it allows the external users to transfer Crime Money between themselves and this violates the protocol rules mentioned in the documentation where the external users should only call view functions and deposit USDC, but they can also transfer Crime Money.

• Also, due to a user transferring their whole CrimeMoney to another user will decrease their balance of CrimeMoney but the corresponding accounting in MoneyShelf corresponding to bank will remain the same. So, whenever the God Father tries to perform withdrawal, it calls the withdrawUSDC on MoneyShelf for account argument as that user but as the user has transferred their whole CrimeMoney it will fail, even if the God Father gives the account address of the other user to which CrimeMoney was transferred it will also fail as their bank amount is 0.

Impact

• External User can perform transfers of CrimeMoney even if the protocol mentions that they should not be able to do that.

• God Father would not be able to withdraw USDC due to transferring of Crime Money by the users.

• Gang Members can also transfer CrimeMoney to external users.

Tools Used

Manual Review

Recommendations

Override all the transfer based functions in CrimeMoney token contract and add the modifier to only allow either the gangmember or the God Father to perform the txn otherwise revert.