Submission Details
Severity:
Arbitrary `_user` passed to transferFrom (or safeTransferFrom), which can lead to loss of funds
Summary
In KittyVault::executeDepawsit the Arbitrary Passing an arbitrary _user address to transferFrom (or safeTransferFrom) can lead to loss of funds, because anyone can transfer tokens from the _user address if an approval is made.
Vulnerability Details
function executeWhiskdrawal(address _user, uint256 _cattyNipToWithdraw) external onlyPool {
uint256 _ameownt = _cattyNipToWithdraw.mulDiv(getTotalMeowllateral(), totalCattyNip);
userToCattyNip[_user] -= _cattyNipToWithdraw;
totalCattyNip -= _cattyNipToWithdraw;
totalMeowllateralInVault -= _ameownt;
@> IERC20(i_token).safeTransfer(_user, _ameownt);
}
function executeWhiskdrawal(address _user, uint256 _cattyNipToWithdraw) external onlyPool {
uint256 _ameownt = _cattyNipToWithdraw.mulDiv(getTotalMeowllateral(), totalCattyNip);
userToCattyNip[_user] -= _cattyNipToWithdraw;
totalCattyNip -= _cattyNipToWithdraw;
totalMeowllateralInVault -= _ameownt;
- IERC20(i_token).safeTransfer(_user, _ameownt);
+ IERC20(i_token).safeTransfer(msg.sender, _ameownt);
}
Impact
can lead to loss of funds
Tools Used
manual review
Recommendations
Use `msg.sender` as `_user` in transferFrom (or safeTransferFrom)
function executeWhiskdrawal(address _user, uint256 _cattyNipToWithdraw) external onlyPool {
uint256 _ameownt = _cattyNipToWithdraw.mulDiv(getTotalMeowllateral(), totalCattyNip);
userToCattyNip[_user] -= _cattyNipToWithdraw;
totalCattyNip -= _cattyNipToWithdraw;
totalMeowllateralInVault -= _ameownt;
- IERC20(i_token).safeTransfer(_user, _ameownt);
+ IERC20(i_token).safeTransfer(msg.sender, _ameownt);
}
Rewards breakdown
nSLOC
224This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.