First Flight #16: Mafia Takedown

First Flight #16

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

ublic Accessibility of migrate Function Allows Unauthorized Contract Upgrades and Fund Management

waydou

Summary

The EmergencyMigration contract contains a critical vulnerability where the migrate function, intended to be callable only by the godfather (Kernel executor), is publicly accessible. This function should be restricted to prevent unauthorized access and protect the funds.

Vulnerability Details

The migrate function is currently publicly accessible, allowing any user to call it. This function is intended for the Kernel_executor to migrate the money shelf to a new contract that only the GodFather can manage. Without proper access control, any user can trigger the migration process, potentially leading to unauthorized contract upgrades and control over the funds.

Impact

Allowing public access to the migrate function can lead to severe consequences:

Unauthorized users can migrate the money shelf, disrupting the intended functionality and control of the funds.
The security and integrity of the funds managed by the MoneyVault can be compromised.
It can result in the funds being locked or mismanaged, leading to potential financial losses

Tools Used

Manual review.

Recommendations

Implement access control to ensure that only the Kernel executor can call the migrate function. This can be achieved by adding a modifier to check the caller's address.

modifier onlyKernelExecutor(Kernel kernel) {

require(msg.sender == kernel.executor(), "Only the kernel executor can call this function");

}

function migrate(Kernel kernel, IERC20 usdc, CrimeMoney crimeMoney) public onlyKernelExecutor(kernel) returns (MoneyVault) {

vm.startBroadcast(kernel.executor());

MoneyVault moneyVault = new MoneyVault(kernel, usdc, crimeMoney);

kernel.executeAction(Actions.UpgradeModule, address(moneyVault));

vm.stopBroadcast();

// Once the problem is solved, GodFather migrate to a new contract and redistribute manually

// all the money to gang members thanks to event monitoring and his accountant.

return moneyVault;

}

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

205

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.