Submission Details
Severity:
Lack of access control when transferring CrimeMoney Token, causing any non-gangmember user can receive and transfer CrimeMoney token
Description
The CrimeMoney token doesnt have any access control when transferring the token. So anyone, even non-gangmembers can receive or transfer the token. This is different from what is described in the document: "External users: can only call view functions and deposit USDC."
Impact
If a non-gangmember user holds the CrimeMoney token, and refuses to give back, nobody (other than the godfather) can retrieve the USDC back.
Proof of Concept
function test_transferCrimeMoney() public {
address alice = makeAddr("alice");
address bob = makeAddr("bob");
joinGangGodFather();
joinGang(alice);
vm.prank(godFather);
usdc.transfer(alice, 100e6);
vm.startPrank(alice);
usdc.approve(address(moneyShelf), 100e6);
laundrette.depositTheCrimeMoneyInATM(alice, alice, 100e6);
crimeMoney.transfer(bob, 100e6);
vm.stopPrank();
assertEq(crimeMoney.balanceOf(alice), 0);
assertEq(crimeMoney.balanceOf(bob), 100e6);
}
Recommendations
add access control in the _update(from, to, value) function in crimeMoney:
++ function _update(address from, address to, uint256 value) internal override {
++ require(kernel.hasRole(msg.sender, Role.wrap("gangmember")), "CrimeMoney: only gangmember can transfer");
++ super._update(from, to, value);
++ }
Rewards breakdown
nSLOC
205This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.