First Flight #21: KittyFi

First Flight #21

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

`KittyPool:burnKittyCoin` allows anyone to reduce another person's kittyCoin in kittyPool without their consent/awareness

soupy

Summary

The KittyPool:burnKittyCoinfunction allows third party to reduce the user's kitty coin amount in the pool without the user's awareness causing the affected user to have a mismatch of kitty coin that they hold in the kittyPool versus the actual kitty coin token amount that they actually own.

Vulnerability Details

The KittyPool:burnKittyCoinfunction allows anyone who holds kittyCoin to reduce the kittyCoin amount captured in the kittyPool of another user.

function burnKittyCoin(address _onBehalfOf, uint256 _ameownt) external {

kittyCoinMeownted[_onBehalfOf] -= _ameownt;

i_kittyCoin.burn(msg.sender, _ameownt);

}

As the kittyCoin is only reduced in the kittyPool but the actual kittyCoin token that the user holds is not reduced when a third party call the KittyPool:burnKittyCoin function, this causes a mismatch of kittyCoin amount in the kittyPool versus actual kittyCoin token the user actually holds.

Proof of Concept:
In test/KittyFiTest.t.sol, add the following test and run the test:

function test_audit_burnKittyCoin_anyoneCanBurnOtherUserKittyCoin() public {

address thirdParty = makeAddr("thirdParty");

deal(weth, thirdParty, AMOUNT);

uint256 amountToMint = 20e18;

uint256 amountGetBurnt = 10e18;

// user deposit and mint kittyCoin

vm.startPrank(user);

IERC20(weth).approve(address(wethVault), 5 ether);

kittyPool.depawsitMeowllateral(weth, 5 ether);

kittyPool.meowintKittyCoin(amountToMint);

vm.stopPrank();

// third part who has the kittyCoin calls the `burnKittyCoin` function on user

vm.startPrank(thirdParty);

IERC20(weth).approve(address(wethVault), 5 ether);

kittyPool.depawsitMeowllateral(weth, 5 ether);

kittyPool.meowintKittyCoin(amountToMint);

kittyPool.burnKittyCoin(user, amountGetBurnt);

vm.stopPrank();

uint256 amountKittyCoinInPool_user = kittyPool.getKittyCoinMeownted(user);

uint256 amountKittyCoinTokenOwnership_user = KittyCoin(kittyPool.getKittyCoin()).balanceOf(user);

console.log("amountKittyCoinInPool_user: ", amountKittyCoinInPool_user);

console.log("amountKittyCoinTokenOwnership_user: ", amountKittyCoinTokenOwnership_user);

assert(amountKittyCoinInPool_user < amountKittyCoinTokenOwnership_user);

}

The test passes indicating that the amount of kittyCoin in kittyPool is different from the actual kittyCoin token amount that the user holds.

Impact

Mismatch of kittyCoin amount in kittyPool versus actual amount of kittyCoin token that user holds when some else calls to execute the KittyPool:burnKittyCoin function without their awareness.

Tools Used

Manual review with forge test

Recommendations

To emit an event passing through front-end or notification system to the affected user when someone runs and successfully executes the KittyPool:burnKittyCoin function that could potentially ruin their position in kittyPool on purpose with some malicious activities

Updates

Lead Judging Commences

shikhar229169 Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

224

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.