Arbitrary `account` parameter in `MoneyShelf::depositUSDC` allows gang members to steal USDC from each other
Summary
MoneyShelf::depositUSDC allows arbitrary addresses to be specified for the account parameter. This could potentially enable gang members to exploit the function and steal USDC from each other by specifying another gang member's address as the account from which to transfer funds.
Vulnerability Details
MoneyShelf::depositUSDC allows any address to call the function and specify an arbitrary account address from which USDC should be transferred. This can be exploited by malicious actors to transfer USDC from an account they do not own, as long as that account has approved the MoneyShelf contract to spend its USDC.
Steps to Reproduce
Gang member A approves the
MoneyShelfcontract to spend their USDC.Gang member B calls the
depositUSDCfunction, specifying Gang member A's address as the account parameter.USDC is transferred from Gang member A's account to the
MoneyShelfcontract, without Gang Member A's consent, and receivesCrimeMoneyto their accountGang member B can call
withdrawUSDCand retrieve locked USDC from the contract
Impact
Malicious gang members can exploit this to drain USDC from other members' accounts, as long as the victim has approved the MoneyShelf contract to spend their USDC.
Tools Used
Manual code review
Recommendations
depositUSDC function should be modified to ensure that the account parameter is always the caller (msg.sender). This will ensure that gang members can only deposit their own USDC and cannot specify arbitrary addresses. Here is the updated implementation:
Lead Judging Commences
Arbitrary account deposit, steal approval
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.