The security assessment of the KittyVault smart contract has identified a vulnerability related to the misuse of the transferFrom function from the ERC20 standard. The current implementation allows for arbitrary addresses to be specified as the from parameter, which can lead to unauthorized token transfers and potential loss of funds.
The primary vulnerability is located in the executeDepawsit and executeWhiskdrawal functions. These functions utilize the transferFrom method without correctly passing msg.sender as the from parameter. This flaw enables any user to transfer tokens from any address, bypassing proper authorization controls. The relevant code snippet is as follows:
By not ensuring that the from parameter is set to msg.sender, the contract inadvertently allows arbitrary address usage, posing a significant security risk.
The identified vulnerability can result in:
Unauthorized token transfers from users' addresses.
Potential financial loss for token owners, as malicious actors can exploit this flaw to drain funds.
This security flaw can severely undermine the trust and reliability of the KittyVault contract, leading to financial damages and reputational harm.
Manual code review
To mitigate this vulnerability and enhance the security of the KittyVault contract, it is recommended to modify the executeDepawsit and executeWhiskdrawal functions to use msg.sender as the from parameter in the transferFrom calls. The updated code should look like this:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.