search

code-423n4 / 2024-06-vultisig-validation

0 stars 0 forks source link

Refund not possible due to blacklisting #184

Open c4-bot-2 opened 2 months ago

c4-bot-2 commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-06-vultisig/blob/main/src/ILOPool.sol#L350

Vulnerability details

Impact

Currently, our contract allows refunds (claimRefund and claimProjectRefund functions) directly to users or project admins. However, direct transfers may fail if the recipient addresses are blacklisted. This situation can lead to contract failures and user dissatisfaction.

Proof of Concept

When dealing with tokens with blocklist such as USDC, Direct transfers to blacklisted addresses can lead to transaction failures, disrupting the contract's intended operations.

User Experience: Users or project admins expecting refunds may experience delays or confusion if transfers fail due to blacklisting.

 function claimRefund(uint256 tokenId) external override refundable() isAuthorizedForToken(tokenId) {
        uint256 refundAmount = _positions[tokenId].raiseAmount;
        address tokenOwner = ownerOf(tokenId);

        delete _positions[tokenId];
        delete _positionVests[tokenId];
        _burn(tokenId);

        TransferHelper.safeTransfer(RAISE_TOKEN, tokenOwner, refundAmount);
        emit UserRefund(tokenOwner, tokenId,refundAmount);
    }

    /// @inheritdoc IILOPool
    function claimProjectRefund(address projectAdmin) external override refundable() OnlyManager() returns(uint256 refundAmount) {
        return _refundProject(projectAdmin);
    }

    function _refundProject(address projectAdmin) internal returns (uint256 refundAmount) {
        refundAmount = IERC20(SALE_TOKEN).balanceOf(address(this));
        if (refundAmount > 0) {
            TransferHelper.safeTransfer(SALE_TOKEN, projectAdmin, refundAmount);//@audit blacklist
            emit ProjectRefund(projectAdmin, refundAmount);
        }
    }

Tools Used

Manual review

Recommended Mitigation Steps

Dont transfer directly to the tokenOwner or the projectAdmin instead allow them to provide an address to where the funds will be sent

Assessed type

Token-Transfer

pratokko commented 1 month ago

Hello judge I think blocklists should be considered to be in scope would like to know why this was invalidated thank you!

alex-ppg commented 1 month ago

Hey @pratokko, thank you for the PJQA contribution. I will preface all validation repository finding responses by stating that they are not evaluated by judges directly and are only evaluated by the validators if they are deemed unsatisfactory.

There is no indication that EIP-20 blacklists are in the scope of the contest, rendering this submission out of scope.

This paragraph is included in all of my responses and confirms that no further feedback is expected in this submission as PJQA has concluded. You are free to refute any of my statements factually, however, I strongly implore you to do this with actual code references and examples.