search

code-423n4 / 2024-05-loop-findings

4 stars 4 forks source link

Protocol Cannot Disallow Unwanted or Blacklist Tokens After it has been Allowed #97

Closed howlbot-integration[bot] closed 3 months ago

howlbot-integration[bot] commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L365

Vulnerability details

Impact

Protocol Cannot Disallow Unwanted or Blacklist Tokens After it has been Allowed, which will open innocent users to risk of fund loss from interacting with bad tokens

Proof of Concept

As provided in the allowToken(...) function code below from the PrelaunchPoints contract, Protocol only implemented functionality to allow tokens. However in a situation an added token turnout to be a blacklisted token or broken token which could cause fund lose to user, Protocol would not be able to remove it as it becomes permanent

    function allowToken(address _token) external onlyAuthorized {
>>>        isTokenAllowed[_token] = true;
    }

Tools Used

Manual Review

Recommended Mitigation Steps

As provided below Protocol should add a disallow function to ensure unauthorized tokens are not allowed to affect Protocol Integrity

+++    function disAllowToken(address _token) external onlyAuthorized {
+++        isTokenAllowed[_token] = false;
+++    }

Assessed type

Access Control

0xd4n1el commented 3 months ago

This poses a security risk in case of malicious owner, since disallowedTokens can be withdrawn by owner

c4-judge commented 3 months ago

koolexcrypto marked the issue as duplicate of #98

c4-judge commented 3 months ago

koolexcrypto marked the issue as duplicate of #90

c4-judge commented 3 months ago

koolexcrypto marked the issue as unsatisfactory: Invalid