withdraw will revert , funds will be locked in the contract.
Proof of Concept
usdc or usdt has a blacklist function that can cause blacklisted tokens not to
Transfer. Token can still get blacklisted after they are deposited.
Tools Used
manual
Recommended Mitigation Steps
check if user is not blacklisted .Consider allowing withdraw() to be called after a set period of time after the pool end if most users have withdrawn or some similar criteria.
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/pools/Pools.sol#L219
Vulnerability details
Impact
withdraw will revert , funds will be locked in the contract.
Proof of Concept
usdc or usdt has a blacklist function that can cause blacklisted tokens not to Transfer. Token can still get blacklisted after they are deposited.
Tools Used
manual
Recommended Mitigation Steps
check if user is not blacklisted .Consider allowing
withdraw()to be called after a set period of time after the pool end if most users have withdrawn or some similar criteria.Assessed type
DoS