Lack of Checks for Token Transfers
Summary
The MoneyShef::depositUSDC function does not check the return value of the usdc.transferFrom call. This can lead to an inconsistent state where USDC tokens are not transferred, but the corresponding CrimeMoney tokens are still minted. Proper validation of the token transfer's success is essential to ensure the integrity of the contract's state.
Vulnerability Details
In the MoneyShef::depositUSDC function, the call to usdc.transferFrom transfers USDC tokens from the specified account to the contract. However, the function does not verify whether the transfer was successful. USDC is an upgradable contract, in a version where USDC doesn't revert upon failure of usdc.transferFromand return false instead. If the transfer fails and the function does not check for this failure, it could proceed to mint CrimeMoney tokens even though no USDC tokens were actually transferred.
Impact
he lack of a check for the success of the usdc.transferFrom operation can lead to several issues:
Inconsistent State: CrimeMoney tokens might be minted without the corresponding USDC tokens being transferred, leading to an imbalance.
Financial Loss: Users may exploit this flaw to mint CrimeMoney tokens without actually transferring USDC, potentially leading to financial loss for the system.
Security Risks: Attackers could use this vulnerability to manipulate the token balances and undermine the integrity of the tokenomics of the system.
Tools Used
Manual Review
Recommendations
I should note this should also be checked in the MoneyShef::WithdrawUSDC to avoid any unwanted behavior
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.