Submission Details
Severity:
Arbitrary `_user` passed to transferFrom (or safeTransferFrom), which can lead to loss of funds
Summary
In KittyVault::executeWhiskdrawal Passing an arbitrary _user address to transferFrom (or safeTransferFrom) can lead to loss of funds, because anyone can transfer tokens from the _user address if an approval is made.
Vulnerability Details
function executeDepawsit(address _user, uint256 _ameownt) external onlyPool {
uint256 _totalMeowllateral = getTotalMeowllateral();
uint256 _cattyNipGenerated;
if (_totalMeowllateral == 0) {
_cattyNipGenerated = _ameownt;
}
else {
_cattyNipGenerated = _ameownt.mulDiv(totalCattyNip, _totalMeowllateral);
}
userToCattyNip[_user] += _cattyNipGenerated;
totalCattyNip += _cattyNipGenerated;
totalMeowllateralInVault += _ameownt;
@> IERC20(i_token).safeTransferFrom(_user, address(this), _ameownt);
}
function executeDepawsit(address _user, uint256 _ameownt) external onlyPool {
uint256 _totalMeowllateral = getTotalMeowllateral();
uint256 _cattyNipGenerated;
if (_totalMeowllateral == 0) {
_cattyNipGenerated = _ameownt;
}
else {
_cattyNipGenerated = _ameownt.mulDiv(totalCattyNip, _totalMeowllateral);
}
userToCattyNip[_user] += _cattyNipGenerated;
totalCattyNip += _cattyNipGenerated;
totalMeowllateralInVault += _ameownt;
- IERC20(i_token).safeTransferFrom(_user, address(this), _ameownt);
+ IERC20(i_token).safeTransferFrom(msg.sender, address(this), _ameownt);
}
Impact
can lead to loss of funds
Tools Used
manual review
Recommendations
Use `msg.sender` as `_user` in transferFrom (or safeTransferFrom)
function executeDepawsit(address _user, uint256 _ameownt) external onlyPool {
uint256 _totalMeowllateral = getTotalMeowllateral();
uint256 _cattyNipGenerated;
if (_totalMeowllateral == 0) {
_cattyNipGenerated = _ameownt;
}
else {
_cattyNipGenerated = _ameownt.mulDiv(totalCattyNip, _totalMeowllateral);
}
userToCattyNip[_user] += _cattyNipGenerated;
totalCattyNip += _cattyNipGenerated;
totalMeowllateralInVault += _ameownt;
- IERC20(i_token).safeTransferFrom(_user, address(this), _ameownt);
+ IERC20(i_token).safeTransferFrom(msg.sender, address(this), _ameownt);
}
Rewards breakdown
nSLOC
224This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.