First Flight #16: Mafia Takedown

First Flight #16

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

`MoneyVault` does not have `moneyshelf` role and as a result cant call `CrimeMoney::burn` or `CrimeMoney::mint`

4rdiii

[M-2] `MoneyVault` does not have `moneyshelf` role and as a result cant call `CrimeMoney::burn` or `CrimeMoney::mint`

Description:
In the Depoloyer.s.sol script the moneyShelf contract is given the moneyshelf role, giving it access to mint or burn CrimeMoney tokens, but when the emergency mode happens (on top of previous bugs: incorrect dependencies, and funds being stuck in moneyshelf) the moneyVault doesnt have the moneyshelf role and can not call burn to withdraw tokens for godfather.

Impact:
Funds remain inaccessible within the moneyVault due to the lack of permissions to withdraw them. Although a solution exists—assigning the moneyshelf role to MoneyVault—this issue underscores the importance of proper role management during emergency transitions.

Proof of Concept:
Include the following test in migration tests, noting that previous bugs must be resolved before running this test.

function testCantCallBurnLacksRole() public {

//gangM1 joins gang

address gangM1 = makeAddr("M1");

joinGang(gangM1);

vm.prank(godFather);

usdc.transfer(gangM1, 100e6);

//some deposits for contract to test it after emergency

vm.startPrank(gangM1);

usdc.approve(address(moneyShelf), 100e6);

laundrette.depositTheCrimeMoneyInATM(gangM1, gangM1, 100e6);

vm.stopPrank();

assertEq(usdc.balanceOf(gangM1), 0);

assertEq(usdc.balanceOf(address(moneyShelf)), 100e6);

assertEq(address(kernel.getModuleForKeycode(Keycode.wrap("MONEY"))), address(moneyShelf));

//enter emergency mode:

EmergencyMigration migration = new EmergencyMigration();

MoneyVault moneyVault = migration.migrate(kernel, usdc, crimeMoney);

assertNotEq(address(moneyShelf), address(moneyVault));

assertEq(address(kernel.getModuleForKeycode(Keycode.wrap("MONEY"))), address(moneyVault));

//godfather Can NOT withdraw in emergency mode:

uint256 gfBalanceBefore = usdc.balanceOf(godFather);

vm.startPrank(godFather);

vm.expectRevert("CrimeMoney: only MoneyShelf can mint");

laundrette.withdrawMoney(gangM1, godFather, 100e6);

assertEq(usdc.balanceOf(godFather) - gfBalanceBefore, 0); //godFather balance change is zero

assertEq(usdc.balanceOf(address(moneyVault)), 100e6); // moenyvault is empty

}

Recommended Mitigation:
Assign the moneyshelf role to MoneyVault within the EmergencyMigration deployment script to enable token operations during emergency mode.

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

MoneyVault cannot burn or mint CrimeMoney

Godfather can add the role manually

Rewards breakdown

nSLOC

205

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.