Missing External Transaction Validation
Summary
The MondrianWallet2 smart contract contains a critical vulnerability in the executeTransactionFromOutside function, allowing anyone to execute transactions without validation, leading to the potential loss of the entire wallet balance.
Vulnerability Details
The executeTransactionFromOutside function is designed to execute transactions from outside the contract. However, it lacks the necessary validation mechanism to ensure that only the wallet owner can initiate transactions. This allows an attacker to craft malicious transactions and execute them through this function, transferring the entire wallet balance to an attacker-controlled address.
An attacker would only need to create a Transaction object with the desired parameters (recipient address, amount, data, etc.) and call the executeTransactionFromOutside function with this object. Since no validation is performed, the transaction would be executed immediately.
Impact
This vulnerability could lead to severe financial losses for users of the contract. An attacker could exploit this flaw to drain the entire balance of a user's wallet with ease.
Tools Used
Manual Review
Recommendations
Add transaction validation logic similar to that in the validateTransaction function, including transaction signature verification to ensure that only the wallet owner can execute transactions.
Lead Judging Commences
Missing validation in executeTransactionFromOutside
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.