Submission Details
Severity:
Any user can withdraw on behalf of the Godfather in the `MoneyVault` module
Summary
Any user can make the godfather to withdraw USDC from the MoneyVault, because there is not an access control to the withdrawUSDC function.
Vulnerability Details
Missing modifier is Godfather, for the withdrawUSDC function.
function withdrawUSDC(address account, address to, uint256 amount) external {
require(to == kernel.executor(), "MoneyVault: only GodFather can receive USDC");
withdraw(account, amount);
crimeMoney.burn(account, amount);
usdc.transfer(to, amount);
}
According to the documentation, should be:
```MoneyVault
In case of any issue (on-chain or off-chain), MoneyShelf is updated to this contract to protect the money from the justice system or any other gang. Only the GodFather can withdraw and no one can deposit in this contract.
Impact
The Godfather lose the control over when to withdraw USDC from MoneyVault.
Tools Used
Manual review
Recommendations
Make this change to the code:
- function withdrawUSDC(address account, address to, uint256 amount) external {
+ require (tx.origin == kernel.executor(), “MoneyVault: you are not Godfather”)
require(to == kernel.executor(), "MoneyVault: only GodFather can receive USDC");
withdraw(account, amount);
crimeMoney.burn(account, amount);
usdc.transfer(to, amount);
}
Rewards breakdown
nSLOC
205This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.