search

Cyfrin / 2023-07-beedle

21 stars 20 forks source link

Problem Tokens e.g Blacklist tokens - Need Whitelist #793

Closed codehawks-bot closed 1 year ago

codehawks-bot commented 1 year ago

Problem Tokens e.g Blacklist tokens - Need Whitelist

Severity

Medium Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Lender.sol#L670

Summary

There is no whitelist of tokens

Vulnerability Details

It is better to whitelist a set of tokens within the code from get go as this helps prevent the challenges of the following types of tokens

  1. Avoid scam coins, shitcoins, pretender coins e.g USDC named fake coin that seller may be fooled by
  2. Avoid tokens that can be controlled e.g ERC1400 permissioned addresses, ERC1644 forced transfers

Impact

Medium

  1. Scam coins can be used knowingly or unknowingly in as loanTokens, collateralTokens in pools
  2. Controlled tokens may mean buyer funds may be take out; account may be blacklisted; balances may be changed; of the borrower or lender - This makes the protocol not work as transfers from borrowers or lenders can not happen
  3. Cant swap profits from tokens to WETH to get fees for Staking so staking no longer has fees to support it

Tools Used

Manual Analysis

Recommendations

It is recommended scam coins,controlled coins,not be allowed e.g It is recommended the contracts have a set of whitelisted coins acceptable to all parties or generally acceptable good

PatrickAlphaC commented 1 year ago

not planned. This is a unbiased protocol.