First Flight #16: Mafia Takedown

First Flight #16

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Bad access control restricting gotdather rights in Laundrette

0xjarix

Summary

Bad access control preventing the godfather from taking guns, withdrawing USDC or adding members to the gang.

Vulnerability Details

Godfather was never attributed the role of "gangmember", at deployment, the godfather does not have the role "gangmember". Thus all functions in the Laundrette that use the modifier onlyRole("gangmember") along with isGodFather or isAuthorizedOrRevert(account) will revert if the caller is the godfather. He cannot add himself to the gang. He could try and call retrieveAdmin to set himself as the admin but the call would revert because of the onlyExecutor modifier that prevents executeAction from being called by any address other than that of the godfather (in that case the Laundrette's call that is the admin will revert). The godfather has to jump through hoops in order to have the access rights he should have, he can directly call executeAction to be the admin, call grantRole to grant himself the role of "gangmember".

Here's the functions that have that bad access control:

function withdrawMoney(

address account,

address to,

uint256 amount

)

external

onlyRole("gangmember")

isAuthorizedOrRevert(account)

{

moneyShelf.withdrawUSDC(account, to, amount);

}

function takeGuns(address account, uint256 amount) external onlyRole("gangmember") isAuthorizedOrRevert(account) {

weaponShelf.withdraw(account, amount);

}

function addToTheGang(address account) external onlyRole("gangmember") isGodFather {

kernel.grantRole(Role.wrap("gangmember"), account);

}

Here's the function that will always revert and thus is useless:

function retrieveAdmin() external {

kernel.executeAction(Actions.ChangeAdmin, kernel.executor());

}

Impact

Godfather cannot take guns, withdraw USDC or add members to the gang without taking the admin role from the laundrette

Tools Used

Manual review

Recommendations

Fix the bug.

Updates

Lead Judging Commences

n0kto Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

`retrieveAdmin` not working

GodFather is not a gang member

Rewards breakdown

nSLOC

205

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.