Migrating to `MoneyVault` doesn't allow withdrawal to God Father as the balance and corresponding info is not available in `MoneyVault`
Summary
During emergency when MoneyShelf is upgraded to MoneyVault, the funds are still present in MoneyShelf as a result of which God Father will not be able to withdraw USDC.
As a result of which the purpose of MoneyVault will not be fulfilled that is to protect the funds, as funds are locked and cannot be retrieved.
Vulnerability Details
-
The vulnerability occurs due to the migration implementation to the
MoneyVault, when a migration is made all the funds and all the related information is present inMoneyShelfand is not updated inMoneyVaultalong with that the moneyshelf role ofCrimeMoneyis still available forMoneyShelfand is not updated forMoneyVault. -
As a result of which the God Father will not be able to withdraw the funds because they are present in
MoneyShelf, and not sent to migrated moduleMoneyVault.
Impact
God Father not able to withdraw USDC.
Tools Used
Manual Review
Recommendations
Add functions in MoneyShelf and MoneyVault to transfer all the funds and bank mapping related information to MoneyVault and also give moneyshelf role to MoneyVault.
Lead Judging Commences
Emergency migration leave the USDC
MoneyVault cannot burn or mint CrimeMoney
Godfather can add the role manually
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.