Submission Details
Severity:
`MoneyVault::withdrawUSDC` not permissioned
Summary
The withdrawUSDC function is external and defined in the module MoneyShelf. It should be permissioned because of Default framework used for this protocol. Only view functions can be called by the user with no permissions
Vulnerability Details
function withdrawUSDC(address account, address to, uint256 amount) external {
require(to == kernel.executor(), "MoneyVault: only GodFather can receive USDC");
withdraw(account, amount);
crimeMoney.burn(account, amount);
usdc.transfer(to, amount);
}
Impact
All the missing benefits of the framework described in the documentation:
This separation of what and why in the protocol allows for greater flexibility in design while retaining some properties of immutability, which dramatically simplifies protocol development.
Tools Used
Manual review
Recommendations
Write a function in a policy that call this withdrawUSDC function
Updates
Lead Judging Commences
n0kto about 1 year ago
Submission Judgement Published Reason: Incorrect statement
Assigned finding tags:
Breaking "permissioned" framework logic.
Rewards breakdown
nSLOC
205This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.