-
High - 100xp
-
Medium - 20xp
-
Low - 2xp
-
Starts: May 23, 2024 Noon UTC
-
Ends: May 30, 2024 Noon UTC
- nSLOC: 205
- Complexity Scope: 284
A special thanks to n0kto for contributing this Community First Flight!
Learn more about n0kto!
This code was created for Codehawks as the first flight. It is made with bugs and flaws on purpose. Don't use any part of this code without reviewing it and audit it.
An undercover AMA agent (anti-mafia agency) discovered a protocol used by the Mafia. In several days, a raid will be conducted by the police and we need as much information as possible about this protocol to prevent any problems. But the AMA doesn’t have any web3 experts on their team.
Hawkers, they need your help!
Find flaws in this protocol and send us your findings.
This project uses the Default framework: https://github.com/fullyallocated/Default
Policies are external-facing contracts that receive inbound calls to the protocol, and route all the necessary updates to data models via Modules. Access control and input validation are performed in these contracts.
The AMA intervention will be held in a Laundrette, the headquarters of the mafia. It seems they named the interface contract the same as their shell company.
Anyone can deposit USDC to get CrimeMoney but only gang members and godfather can withdraw USDC. As the French say : giving is giving, taking back is stealing.
Users have to approve the MoneyShelf contract before calling the function to deposit.
Currently, the mafia does not have any way to control the incoming weapons so only the god father can account for them in real world and assign them to any gang members. Gang members has to withdraw them in the contract before taking them in real life. Since they don't want to lose a finger, they never forget to do it that way.
This contract is the admin of Kernel.sol to grant and revoke roles.
A function permit the godfather to retrieve the admin role when needed.
Modules are internal-facing contracts that store shared state across the protocol. Except for view functions, all functions can only be called by an authorized policies (which asked permissions from the kernel).
This contract keeps count for the available weapons per member.
This contract in charge of keeping USDC and minting/burning the CrimeMoney. Users have to approve this contract before calling the Laundrette function to deposit.
In case of any issue (on-chain or off-chain), MoneyShelf is updated to this contract to protect the money from the justice system or any other gang.
Only the GodFather can withdraw and no one can deposit in this contract.
A stablecoin pegged to USDC deposited in MoneyShelf.
Deploy.s.soldeploys the whole protocol.EmergencyMigration.s.solmigrates MoneyShelf to MoneyVault in case of an emergency.
- GodFather: Owner, has all the rights.
- GangMember:
- Deposit USDC and withdraw USDC in exchange for CrimeMoney
- Transfer CrimeMoney between members and godfather.
- Take weapons that GodFather assigned to the member.
- External users: can only call view functions and deposit USDC.
- git
- You'll know you did it right if you can run
git --versionand you see a response likegit version x.x.x
- You'll know you did it right if you can run
- foundry
- You'll know you did it right if you can run
forge --versionand you see a response likeforge 0.2.0 (816e00b 2023-03-16T00:05:26.396218Z)
- You'll know you did it right if you can run
git clone https://github.com/Cyfrin/2024-05-mafia-take-down
cd 2024-05-mafia-take-down
makemake test- Commit Hash: XXX
- Files in scope:
├── script
│ ├── Deployer.s.sol
│ ├── EmergencyMigration.s.sol
├── src
│ ├── CrimeMoney.sol
│ ├── modules
│ │ ├── MoneyShelf.sol
│ │ ├── MoneyVault.sol
│ │ ├── Shelf.sol
│ │ └── WeaponShelf.sol
│ ├── policies
│ │ └── Laundrette.sol
- Solc Version: 0.8.24
- Chain(s) to deploy to:
- Polygon
- ERC20 Token Compatibilities:
- USDC
- CrimeMoney
- Missing events.
- The Mafia knows that nothing is private on blockchains, view functions will reveal what the mafia owns.
- Users can deposit on any account, not only gang member's accounts.