First Flight #16: Mafia Takedown
First Flight #16
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

USDC deposit can be taken from an account not owned by msg.sender

wetzo

Summary

The function MoneyShelf.sol::depositUSDC allows transferFrom an arbitrary address, allowing a user to take funds from any address with allowance to the contract.

Vulnerability Details

A user can use the depositUSDC function with any account parameter. If this address holds a positive USDC balance and a positive allowance, the deposit will be executed by taking USDC from the given address. Thus, all USDC on accounts that have an open allowance are at risk of being deposited against the will oof their owner.

Impact

Users that have a positive USDC balance and a positive allowance to the contract can have their USDC deposited against their will.

Tools Used

Slither

Recommendations

Enforce deposits from msg.sender.

- function depositUSDC(address account, address to, uint256 amount) external {
+ function depositUSDC(address to, uint256 amount) external {
deposit(to, amount);
- usdc.transferFrom(account, address(this), amount);
+ usdc.transferFrom(msg.sender, address(this), amount);
crimeMoney.mint(to, amount);
}
Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Arbitrary account deposit, steal approval

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.