Closed c4-bot-5 closed 4 months ago
https://github.com/code-423n4/2024-05-predy/blob/main/src/PredyPool.sol#L78-L90 https://github.com/code-423n4/2024-05-predy/blob/main/src/PredyPool.sol#L177-L191 https://github.com/code-423n4/2024-05-predy/blob/main/src/PredyPool.sol#L199-L213
Some tokens (e.g. USDC, USDT) have a contract level admin controlled address blocklist. If an address is blocked, then transfers to and from that address are forbidden.
USDC
USDT
https://github.com/d-xo/weird-erc20?tab=readme-ov-file#tokens-with-blocklists
Manual Review
Add parameter for recipient address in all functions
recipient
Token-Transfer
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/main/src/PredyPool.sol#L78-L90 https://github.com/code-423n4/2024-05-predy/blob/main/src/PredyPool.sol#L177-L191 https://github.com/code-423n4/2024-05-predy/blob/main/src/PredyPool.sol#L199-L213
Vulnerability details
Impact
Some tokens (e.g.
USDC,USDT) have a contract level admin controlled address blocklist. If an address is blocked, then transfers to and from that address are forbidden.Proof of Concept
https://github.com/d-xo/weird-erc20?tab=readme-ov-file#tokens-with-blocklists
Tools Used
Manual Review
Recommended Mitigation Steps
Add parameter for
recipientaddress in all functionsAssessed type
Token-Transfer