[M-03] A blacklisted address can DOS other users

[code423n4]

Lines of code

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Shortfall/Shortfall.sol#L183 https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Shortfall/Shortfall.sol#L183

Vulnerability details

Impact

If underlying or convertibleBaseAsset is an asset that can blacklist addresses e.g. USDT, USDC and the top bidder is an address that was initially not blacklisted but subsequently blacklisted, other users can no longer:

• call placeBid() with a higher bid because when the contract tries to push the underlying tokens back to the blacklisted address, the underlying token will revert.
• call closeAuction() as the convertibleBaseAsset cannot be transferred to the top bidder since the token contract will revert.

Proof of Concept

• Create an auction for a vToken whose underlying has a blacklist function.
• Call placeBid() with the first bid.
• Blacklist user.
• Call placeBid() with a higher bid than the first bid. Expect to revert here.

Recommended Mitigation Steps

Favour pull over push. Instead of pushing the funds back to the user, the user has to pull the funds instead.

Assessed type

DoS

[c4-judge]

0xean marked the issue as duplicate of #65

[c4-judge]

0xean changed the severity to QA (Quality Assurance)