c4-pre-sort
commented
1 year ago minhquanym marked the issue as low quality report
Closed code423n4 closed 1 year ago
c4-pre-sort
commented
1 year ago minhquanym marked the issue as low quality report
minhquanym
commented
1 year ago QA
c4-judge
commented
1 year ago dmvt marked the issue as unsatisfactory: Insufficient quality
Lines of code
https://github.com/Tapioca-DAO/tap-token-audit/blob/59749be5bc2286f0bdbf59d7ddc258ddafd49a9f/contracts/option-airdrop/AirdropBroker.sol#L377 https://github.com/Tapioca-DAO/tap-token-audit/blob/59749be5bc2286f0bdbf59d7ddc258ddafd49a9f/contracts/option-airdrop/AirdropBroker.sol#L509 https://github.com/Tapioca-DAO/tap-token-audit/blob/59749be5bc2286f0bdbf59d7ddc258ddafd49a9f/contracts/options/TapiocaOptionBroker.sol#L491 https://github.com/Tapioca-DAO/tap-token-audit/blob/59749be5bc2286f0bdbf59d7ddc258ddafd49a9f/contracts/options/TapiocaOptionBroker.sol#L530
Vulnerability details
Impact
Pemissioned tokens or tokens with blacklisting capabilities make the protocol not work as expected
Proof of Concept
If payment token can blacklist or permission addresses that can transfer or have tokens transfered to them, protocol will not work as eexpected e.g ERC1400, Polymath like tokens; it implies the all instances mentioned in the links provided will not function for example below: _paymentToken.transferFrom(msg.sender,address(this),discountedPaymentAmount); Since transfers will be disabled for an address, that user cant send or receive the payment tokens. Whats worse is the token can blacklist the protocol address receiving tokens address(this) and disable entire functionality of protocol for this token as a payment token
Tools Used
Manual Analysis
Recommended Mitigation Steps
It is recommended to disallow such tokens that can have blacklisting or permissioned capabilities from being used by the protocol
Assessed type
Token-Transfer