search

code-423n4 / 2024-06-vultisig-findings

2 stars 0 forks source link

User who is not whitelisted can still buy VULT token from Uniswap pool #202

Closed howlbot-integration[bot] closed 5 months ago

howlbot-integration[bot] commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-06-vultisig/blob/0957ff9e50441cd6de6b4f6e28c7ea93f5cffa85/hardhat-vultisig/contracts/Whitelist.sol#L216-L218

Vulnerability details

Impact

If a user is not whitelisted (or blacklisted), they can buy VULT token from Uniswap pool regardless of whitelisted slots during whitelist launch period.

Proof of Concept

When user buys VULT token from pool, if _whitelistContract_ is not address(0), checkWhitelist() of the whitelistContract__ is called to apply WL logic. One of the requirements is that user whitelist index should be within allowed index range:

            if (_allowedWhitelistIndex == 0 || _whitelistIndex[to] > _allowedWhitelistIndex) {
                revert NotWhitelisted();
            }

The problem is that _whitelistIndex[to] is default to 0 if a user is not whitelisted, and the check will always pass if _allowedWhitelistIndex is larger than 0, this means the user who is not whitelisted can buy VULT token, renders the whitelist mechanism and _allowedWhitelistIndex useless.

Tools Used

Manual Review

Recommended Mitigation Steps

Whitelist check should be as below:

            if (_whitelistIndex[to] == 0 || _whitelistIndex[to] > _allowedWhitelistIndex) {
                revert NotWhitelisted();
            }

Assessed type

Access Control

c4-judge commented 4 months ago

alex-ppg changed the severity to 3 (High Risk)

c4-judge commented 4 months ago

alex-ppg marked the issue as satisfactory