Critical Vulnerability in KittyVault Contract Allows Unauthorized Token Transfers Due to Improper Use of ERC20 transferFrom Function
Summary
The security assessment of the KittyVault smart contract has identified a vulnerability related to the misuse of the transferFrom function from the ERC20 standard. The current implementation allows for arbitrary addresses to be specified as the from parameter, which can lead to unauthorized token transfers and potential loss of funds.
Vulnerability Details
The primary vulnerability is located in the executeDepawsit and executeWhiskdrawal functions. These functions utilize the transferFrom method without correctly passing msg.sender as the from parameter. This flaw enables any user to transfer tokens from any address, bypassing proper authorization controls. The relevant code snippet is as follows:
By not ensuring that the from parameter is set to msg.sender, the contract inadvertently allows arbitrary address usage, posing a significant security risk.
Impact
The identified vulnerability can result in:
Unauthorized token transfers from users' addresses.
Potential financial loss for token owners, as malicious actors can exploit this flaw to drain funds.
This security flaw can severely undermine the trust and reliability of the KittyVault contract, leading to financial damages and reputational harm.
Tools Used
Manual code review
Recommendations
To mitigate this vulnerability and enhance the security of the KittyVault contract, it is recommended to modify the executeDepawsit and executeWhiskdrawal functions to use msg.sender as the from parameter in the transferFrom calls. The updated code should look like this:
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.