Open code423n4 opened 1 year ago
The Warden has shown an inconsistency in implementation for the blacklist functionality
Because a transfer would still be broken, due to transferFrom
performing a check on all accounts involved, I agree with Medium Severity
GalloDaSballo marked the issue as primary issue
m19 marked the issue as sponsor confirmed
We confirmed this issue in a test and intend to fix it:
function test_approve_RevertWhen_TokenOwnerBlacklistedAndApproveCalledByOperator() external {
_kumaBondToken.issueBond(_alice, _bond);
vm.prank(_alice);
_kumaBondToken.setApprovalForAll(address(this), true);
_blacklist.blacklist(_alice);
vm.expectRevert(abi.encodeWithSelector(Errors.BLACKLIST_ACCOUNT_IS_BLACKLISTED.selector, _alice));
_kumaBondToken.approve(_bob, 1);
}
GalloDaSballo marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2023-02-kuma/blob/3f3d2269fcb3437a9f00ffdd67b5029487435b95/src/mcag-contracts/KUMABondToken.sol#L143
Vulnerability details
Impact
It is still possible for a blacklisted user's bond token to be approved.
Proof of Concept
KUMABondToken.approve() only checks if
msg.sender
andto
are not blacklisted. It doesn't check if the owner of thetokenId
is not blacklisted.For example, the following scenario allows a blacklisted user's bond token to be approved:
KUMABondToken.setApprovalForAll(B, true)
, and user B can operate on all user A's bond tokens.KUMABondToken.approve(C, bt1)
to approve user C to operate on bond token bt1.Tools Used
VS Code
Recommended Mitigation Steps
KUMABondToken.approve()
should revert if the owner of the tokenId is blacklisted: