Authentication bypass in BasicToken

Summary

The check implemented to allow the transfer operation can be bypassed.

Root Cause

In the BasicToken contract, the owner has full control over the contract. The transfer function is publicly accessible and does not require any form of authentication. An attacker can potentially take control of the contract if they have a large enough token balance.

https://github.com/sherlock-audit/2024-08-winnables-raffles/blob/main/public-contracts/contracts/mock/TetherToken.sol#L126

Function: transfer(address _to, uint _value) Vulnerable code:

function transfer(address _to, uint _value) public onlyPayloadSize(2 * 32) {
    // ...
}

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

call the transfer function with a payload which satify the check

Impact

An attacker can bypass the authentication by sending a transaction with a custom payload that satisfies the onlyPayloadSize modifier.

PoC

contract Attacker {
    BasicToken public basicToken;

    constructor(address _basicToken) public {
        basicToken = BasicToken(_basicToken);
    }

    function drain() external {
        uint attackValue = basicToken.balanceOf(address(this));
        basicToken.transfer(address(0), attackValue); // This should fail due to the onlyPayloadSize modifier, but in a real-world scenario, it might not be present
    }
}

Mitigation

Implement a better checks on the requested payload based on multiple factors

sherlock-audit / 2024-08-winnables-raffles-judging

Keen Cloth Crab - Authentication bypass in BasicToken #625