The contract implements a whitelist to ban non-whitelisted users from sending more than 100 000 tokens. This limit doesn't work since users can just make all the 100k transactions they want.
A user that isn't in the whitelist can just call the transfer function 5 times and transfer 500 000 tokens.
I consider this a Medium issue since the whitelist is an important feature of the token and isn't working with the current design.
Recommended Mitigation Steps
Change the whitelist implementation to a whitelisted balance and subtract transfers from there for non-whitelisted users.
Lines of code
https://github.com/code-423n4/2022-02-jpyc/blob/cfc018384dd1d71febaa57f0576cb51f5d9c7e07/contracts/v2/FiatTokenV2.sol#L624
Vulnerability details
Proof of Concept
The contract implements a whitelist to ban non-whitelisted users from sending more than 100 000 tokens. This limit doesn't work since users can just make all the 100k transactions they want.
A user that isn't in the whitelist can just call the transfer function 5 times and transfer 500 000 tokens.
I consider this a Medium issue since the whitelist is an important feature of the token and isn't working with the current design.
Recommended Mitigation Steps
Change the whitelist implementation to a whitelisted balance and subtract transfers from there for non-whitelisted users.