DrakeEvans
commented
2 years ago Invalid. No protections against censorship
Closed code423n4 closed 2 years ago
DrakeEvans
commented
2 years ago Invalid. No protections against censorship
gititGoro
commented
2 years ago It is certainly difficult to not express an emotional sentiment when reading this issue. Invalid.
Lines of code
https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairDeployer.sol#L2-L412
Vulnerability details
Description:
Cryptocurrency mixing service, Tornado Cash, has been blacklisted in the OFAC. A lot of blockchain companies , token projects, NFT Projects have "blacklisted" all Ethereum addresses owned by Tornado Cash listed in the US Treasury Department's sanction against the protocol. (https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20220808) In addition, these platforms even ban accounts that have received ETH on their account with Tornadocash
Some of these Projects;
Details on the subject;
https://twitter.com/bantg/status/1556712790894706688?s=20&t=HUTDTeLikUr6Dv9JdMF7AA
https://cryptopotato.com/defi-protocol-aave-bans-justin-sun-after-he-randomly-received-0-1-eth-from-tornado-cash/
For this reason, every project in the Ethereum network must have a blacklist function, this is a good method to avoid legal problems in the future, apart from the current need.
Although the project is in an Upgradable format, the minimal Proxy contracts produced by Factory are not upgradable. Blacklist function must be added to Minimal Proxy contracts and Factory contracts.
This is an important detail versus the way an account funded by Tonadocash or banned by OFAC is minting NFT from the project.
Blacklist functionu should be in a model where the person with a role like onlyMinter or OnlyAdmin is delegated
“The ban on Tornado Cash makes little sense, because in the end, no one can prevent people from using other mixer smart contracts, or forking the existing ones. It neither hinders cybercrime, nor privacy.”
However, NFT Creaters will want to have this right when they create their own independent contracts with Factory, especially American Citizens may want to get addresses to the blacklist legally, this is not an obligation, it must be included in new contracts created by Factory as an option.
Here is the most beautiful and close to the project example; Manifold
Manifold NFT Upgradeable Contract: https://etherscan.io/address/0xe4e4003afe3765aca8149a82fc064c0b125b9e5a#code
Usage of "add Blacklist" of Manifold:
Recommended Mitigation Steps
add to Blacklist function and modifier