search

code-423n4 / 2024-06-vultisig-findings

2 stars 0 forks source link

Unimplemented blacklistedCount Functionality #187

Closed howlbot-integration[bot] closed 5 months ago

howlbot-integration[bot] commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/hardhat-vultisig/contracts/Whitelist.sol#L173-L175

Vulnerability details

Impact

It is expected that whitelist contract will implement a means of tracking the number of blacklisted. This is expressed in the contest page as There could be some suspicious actors so owner can add those addresses to the blacklist. In this case, the total whitelisted addresses will bewhitelistCount-blacklistedCount``. Interestingly there is no variable or function that does this, none whatsoever. Moreover, the contract generally does not emit events related to blacklisted addresses.

Given that it is expected to somehow track the number of blacklisted accounts to be able to adjust the allowedWhitelistIndex to ensure the minimum number of whitelisted addresses is met, it is imperative to be able to track the number of blacklisted accounts. This can be done when adding addresses to the blacklist as it is done in the whitelist

Proof of Concept

https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/hardhat-vultisig/contracts/Whitelist.sol#L173-L175

Tools Used

Recommended Mitigation Steps

You can have a blacklistedCount variable declared as: uint publicblacklistedCount` which is updated in thesetBlacklisted ()` function as:


function setBlacklisted(address blacklisted, bool flag) external onlyOwner {
        _isBlacklisted[blacklisted] = flag;
    }

blacklistedIndex[blacklisted] = ++blacklistedCount;

## Assessed type

Error
c4-judge commented 4 months ago

alex-ppg changed the severity to QA (Quality Assurance)

c4-judge commented 4 months ago

alex-ppg marked the issue as grade-c