First Flight #21: KittyFi

First Flight #21

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Anyone can purge any user's bad position and withdraw the amount to distribute plus the extra reward.

ayamercy

Summary

The function KittyPool::purrgeBadPawsition lacks proper access control, allowing malicious actors to exploit the function to purge any user's bad position and withdraw funds, including the amount to be distributed and an additional reward.

Vulnerability Details

The purrgeBadPawsition function can be called by any user without restriction, which poses a significant security risk. This function is intended to purge a user's bad position by burning their debt and redistributing their collateral. However, due to the absence of access control, any user can call this function on behalf of another user. As a result, an attacker can arbitrarily select a target, purge their bad position, and withdraw the collateral intended for redistribution, plus an extra reward.

The vulnerable code is as follows:

@> function purrgeBadPawsition(address _user) external returns (uint256 _totalAmountReceived) {

require(!(_hasEnoughMeowllateral(_user)), KittyPool__UserIsPurrfect());

uint256 totalDebt = kittyCoinMeownted[_user];

kittyCoinMeownted[_user] = 0;

i_kittyCoin.burn(msg.sender, totalDebt);

uint256 userMeowllateralInEuros = getUserMeowllateralInEuros(_user);

uint256 redeemPercent;

if (totalDebt >= userMeowllateralInEuros) {

redeemPercent = PRECISION;

}

else {

redeemPercent = totalDebt.mulDiv(PRECISION, userMeowllateralInEuros);

}

uint256 vaults_length = vaults.length;

for (uint256 i; i < vaults_length; ) {

IKittyVault _vault = IKittyVault(vaults[i]);

uint256 vaultCollateral = _vault.getUserVaultMeowllateralInEuros(_user);

uint256 toDistribute = vaultCollateral.mulDiv(redeemPercent, PRECISION);

uint256 extraCollateral = vaultCollateral - toDistribute;

uint256 extraReward = toDistribute.mulDiv(REWARD_PERCENT, PRECISION);

extraReward = Math.min(extraReward, extraCollateral);

_totalAmountReceived += (toDistribute + extraReward);

@> _vault.executeWhiskdrawal(msg.sender, toDistribute + extraReward);

unchecked {

++i;

}

Impact

Stolen Funds: An attacker could steal funds from other users by purging their positions and claiming the distributed collateral and rewards.
Loss of User Trust: The ability for unauthorized users to tamper with other users' positions could severely damage trust in the platform.
Potential Financial Loss: Users may experience financial losses due to unauthorized purges of their positions, leading to a loss of collateral.

Tools Used

Manual review

Recommendations

Implement Access Control: Use appropriate modifiers or access control mechanisms to ensure that only authorized roles (e.g., an administrator or the affected user) can call the purrgeBadPawsition function.
Restrict Withdrawals: Ensure that withdrawals of collateral and rewards can only be executed under strict, predefined conditions and by authorized users.

Updates

Lead Judging Commences

shikhar229169 Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Other

Rewards breakdown

nSLOC

224

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.