First Flight #21: KittyFi

First Flight #21

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

A user can mint as much KittyCoin without commiting enough collateral to the protocol

cryptedoji

Summary

A user can mint as many times and as much KittyCoin as she wants if her collateral balance in the pool is not zero.

Vulnerability Details

the kittypool::meowintKittyCoin can be called as long as KittyPool::_hasEnoughMeowllateral returns true hence an attacker can deposit little collateral and continue to mint smaller amount of KittyCoin in a loop and then withdraws her collateral back from the vault. this can be done in one transaction by using loop, deposit and withdraw functions.

PoC

```solidi`ty
function test_userDepositsCollateralMintsKittyCoinAndWithdrawCollateral() public
{
uint256 withdrawAmount = 5 ether;

address attacker = makeAddr("attacker");

deal(weth, attacker, withdrawAmount);

// uint256 user_collateral_inVault_b4Exploit = wethVault.getUserMeowllateral(user);

vm.startPrank(user);

IERC20(weth).approve(address(wethVault), withdrawAmount);

kittyPool.depawsitMeowllateral(weth, withdrawAmount);

vm.stopPrank();

vm.startPrank(attacker);

for(uint i; i <5; ++i){

// step -1 deposit collateral

IERC20(weth).approve(address(wethVault), withdrawAmount);

kittyPool.depawsitMeowllateral(weth, withdrawAmount);

// step-2 user mints kittyCoin as much as she wants

kittyPool.meowintKittyCoin(20e18);

// step-3 user withdraws collateral

IERC20(weth).approve(address(wethVault), withdrawAmount);

kittyPool.whiskdrawMeowllateral(weth, withdrawAmount);

}

vm.stopPrank();

uint256 user_collateral_inVault_afterExploit = wethVault.getUserMeowllateral(attacker);

console.log("collateral bal after exploit==>",user_collateral_inVault_afterExploit );

uint256 user_kittyCoin_bal_afterExploit = kittyCoin.balanceOf(attacker);

assertEq(user_kittyCoin_bal_afterExploit, 100e18);

}

Impact

loss of funds for the protocol

Tools Used

manual review
foundry test

Recommendations

Updates

Lead Judging Commences

shikhar229169 Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

224

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.