First Flight #16: Mafia Takedown

Summary

Gang Members transferring their crime money to other members will make withdrawal fail for God Father as crime money is transferred but the corresponding amount measured in money shelf via bank mapping is not updated.

As a result of which members who transfers their funds will make it a denial of service for God Father to withdraw their USDC amount.

Vulnerability Details

The vulnerability occurs when members perform CrimeMoney transfer operations to other members, which causes their CrimeMoney balance to reduce correctly but their corresponding bank mapping amount in MoneyShelf remains the same, as a result of which whenever God Father tries to withdraw the USDC corresponding to a Gang Member's account it will revert.

This occurs because while withdrawing the account that will be passed by God Father is deducted with Crime Money and also the corresponding bank mapping is deducted by the same amount, so as for the user which now has the crime money will not have their bank updated, thus causes a DoS for the withdrawal by God Father.

Impact

God Father will not be able to withdraw from Gang Member's account.

Proof of Concept

• Consider two gang member A and B.

• A deposited 10 USDC and got 10 CrimeMoney tokens, also their corresponding amount in bank mapping is updated to 10.

• A sends 10 CrimeMoney to B, but B's bank mapping will still be 0.

• God Father tries to withdraw USDC by burning the CrimeMoney of B, but fails due to 0 amount B's bank mapping.

Tools Used

Manual Review

Recommendations

Whenever there is a transfer also update the bank mapping in MoneyShelf, by overriding all the functions that performs transfer in CrimeMoney, and performing updates on the MoneyShelf.