search

code-423n4 / 2024-05-loop-findings

4 stars 4 forks source link

Tokens cannot be removed from Allowedlist once added #92

Closed howlbot-integration[bot] closed 3 months ago

howlbot-integration[bot] commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L364-L366

Vulnerability details

Impact

When a token is added to an allowed list, there should be a disallow function to be able to remove the token once the token does not meet regulations anymore or owner does not want it in the allowed list anymore.

In this protocol once the token is allowed, there is no way to disallow token

Proof of Concept

This is the function responsible for adding tokens to the allowed list

    function allowToken(address _token) external onlyAuthorized {
        isTokenAllowed[_token] = true;
    }

once the address of the token is passed, owner does not have any option to change the value to false.

Tools Used

manual analysis with vs code

Recommended Mitigation Steps

You can add a disallow function to remove tokens from the allowed list like this;

    function disAllowToken(address _token) external onlyAuthorized {
        isTokenAllowed[_token] = false;
    }

Assessed type

Other

0xd4n1el commented 3 months ago

This poses a security risk in case of malicious owner, since disallowedTokens can be withdrawn by owner

c4-judge commented 3 months ago

koolexcrypto marked the issue as duplicate of #98

c4-judge commented 3 months ago

koolexcrypto marked the issue as duplicate of #90

c4-judge commented 3 months ago

koolexcrypto marked the issue as unsatisfactory: Invalid