c4-judge
commented
9 months ago Picodes marked the issue as duplicate of #828
Closed c4-bot-3 closed 9 months ago
c4-judge
commented
9 months ago Picodes marked the issue as duplicate of #828
c4-judge
commented
8 months ago Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/main/src/pools/Pools.sol#L23
Vulnerability details
Impact
This vulnerability would allow malicious actors to add blacklisted tokens into the pool, potentially leading to a variety of issues such as token value manipulation, unexpected contract behavior, or even loss of funds for other participants in the pool.
Proof of Concept
A malicious actor could exploit the Pools contracts by adding blacklisted tokens into the pool. Since the protocol does not currently check for blacklisted tokens, these would be accepted and added to the pool just like any other token.
Tools Used
Manual Review
Recommended Mitigation Steps
The issue at hand can be addressed by implementing a few changes in the protocol. The primary change involves the introduction of a verification process for tokens before they are added to the pool. This process would involve checking whether a token is blacklisted or not.
To achieve this, a list of blacklisted tokens can be maintained within the contract. This list would serve as a reference point whenever tokens are being added to the pool. If a token is found in the blacklist, the protocol would reject its addition to the pool.
Assessed type
ERC20