Closed howlbot-integration[bot] closed 3 months ago
This poses a security risk in case of malicious owner, since disallowedTokens can be withdrawn by owner
koolexcrypto marked the issue as duplicate of #90
koolexcrypto marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L364-L366
Vulnerability details
Impact
Once a token is allowed, it can never be disallowed again.
Proof of Concept
The allowToken function only sets isTokenAllowed to true for a token address. There is no way to set it back to false once allowed.
Tokens should be able to be allowed and disallowed as needed.
Tools Used
Recommended Mitigation Steps
Add a disallowToken function:
Assessed type
Context