First Flight #16: Mafia Takedown

First Flight #16

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Frontrunning Vulnerability in laundrette.depositTheCrimeMoneyInATM Allows Malicious Fund Diversion

waydou

Summary

The laundrette.depositTheCrimeMoneyInATM function is vulnerable to frontrunning attacks, allowing malicious users to divert crime money to themselves.

Vulnerability Details

The function depositTheCrimeMoneyInATM accepts two parameters: account and to. This design flaw permits a malicious user to frontrun transactions and redirect funds to their own account. When a user sends a transaction to deposit USDC into the MoneyShelf, an attacker can quickly submit a similar transaction with the victim's address as the account and their own address as the to parameter. This enables the attacker to intercept and reroute the intended funds.

Impact

UserA approves moneyshelf to spend their USDC.
UserA send transaction in the mempool to depositTheCrimeMoneyInATM.
Attacker frontrun the previous transaction specifying specifying UserA's address as the account and their own address as the to parameter.
The attacker successfully redirects the crime money to themselves.

Place the following into laundrette.t.sol.

function test_depositAndWithdrawUSDC_FRONTRUN() public {

address attacker = makeAddr("Attacker");

vm.startPrank(godFather);

usdc.transfer(address(this), 100e6);

usdc.transfer(attacker, 100e6);

vm.stopPrank();

usdc.approve(address(moneyShelf), 100e6);

vm.prank(attacker);

laundrette.depositTheCrimeMoneyInATM(address(this), attacker, 100e6);

assertEq(usdc.balanceOf(address(this)), 0); // Victim should have no USDC remaining

assertEq(usdc.balanceOf(address(moneyShelf)), 100e6); // MoneyShelf should have total 100 USDC

assertEq(crimeMoney.balanceOf(attacker), 100e6); // Attacker should still have 100 CrimeMoney

}

Tools Used

Manual review, foundry

Recommendations

To prevent such attacks, remove the account argument from the depositTheCrimeMoneyInATM function and instead rely on msg.sender to determine the source of funds. This change will require reformatting other functions within the contract to ensure compatibility.

Updates

Lead Judging Commences

n0kto Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Arbitrary account deposit, steal approval

Rewards breakdown

nSLOC

205

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.