code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollectionFactory.sol#L1-L451

Vulnerability details

Description:

Cryptocurrency mixing service, Tornado Cash, has been blacklisted in the OFAC. A lot of blockchain companies , token projects, NFT Projects have "blacklisted" all Ethereum addresses owned by Tornado Cash listed in the US Treasury Department's sanction against the protocol. (https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20220808) In addition, these platforms even ban accounts that have received ETH on their account with Tornadocash

Some of these Projects;

USDC (https://www.circle.com/en/usdc)
Flashbots (https://www.paradigm.xyz/portfolio/flashbots )
Aave (https://aave.com/)
Uniswap
Balancer
Infura
Alchemy
Opense
dYdX

Details on the subject;

https://twitter.com/bantg/status/1556712790894706688?s=20&t=HUTDTeLikUr6Dv9JdMF7AA

https://cryptopotato.com/defi-protocol-aave-bans-justin-sun-after-he-randomly-received-0-1-eth-from-tornado-cash/

For this reason, every project in the Ethereum network must have a blacklist function, this is a good method to avoid legal problems in the future, apart from the current need.

Although the project is in an Upgradable format, the minimal Proxy contracts produced by Factory are not upgradable. Blacklist function must be added to Minimal Proxy contracts and Factory contracts.

This is an important detail versus the way an account funded by Tonadocash or banned by OFAC is minting NFT from the project.

Blacklist functionu should be in a model where the person with a role like onlyMinter or OnlyAdmin is delegated

“The ban on Tornado Cash makes little sense, because in the end, no one can prevent people from using other mixer smart contracts, or forking the existing ones. It neither hinders cybercrime, nor privacy.”

However, NFT Creaters will want to have this right when they create their own independent contracts with Factory, especially American Citizens may want to get addresses to the blacklist legally, this is not an obligation, it must be included in new contracts created by Factory as an option.

Here is the most beautiful and close to the project example; Manifold

Manifold NFT Upgradeable Contract: https://etherscan.io/address/0xe4e4003afe3765aca8149a82fc064c0b125b9e5a#code

Usage of "add Blacklist" of Manifold:

     modifier nonBlacklistRequired(address extension) {
         require(!_blacklistedExtensions.contains(extension), "Extension blacklisted");
         _;
     }

Recommended Mitigation Steps

add to Blacklist function and modifier

HardlyDifficult commented 2 years ago

Dupe of https://github.com/code-423n4/2022-08-foundation-findings/issues/153

HickupHH3 commented 2 years ago

part of warden's QA: #115

code-423n4 / 2022-08-foundation-findings