Open c4-bot-2 opened 2 months ago
Hello judge I think blocklists should be considered to be in scope would like to know why this was invalidated thank you!
Hey @pratokko, thank you for the PJQA contribution. I will preface all validation repository finding responses by stating that they are not evaluated by judges directly and are only evaluated by the validators if they are deemed unsatisfactory.
There is no indication that EIP-20 blacklists are in the scope of the contest, rendering this submission out of scope.
This paragraph is included in all of my responses and confirms that no further feedback is expected in this submission as PJQA has concluded. You are free to refute any of my statements factually, however, I strongly implore you to do this with actual code references and examples.
Lines of code
https://github.com/code-423n4/2024-06-vultisig/blob/main/src/ILOPool.sol#L350
Vulnerability details
Impact
Currently, our contract allows refunds (claimRefund and claimProjectRefund functions) directly to users or project admins. However, direct transfers may fail if the recipient addresses are blacklisted. This situation can lead to contract failures and user dissatisfaction.
Proof of Concept
When dealing with tokens with blocklist such as USDC, Direct transfers to blacklisted addresses can lead to transaction failures, disrupting the contract's intended operations.
User Experience: Users or project admins expecting refunds may experience delays or confusion if transfers fail due to blacklisting.
Tools Used
Manual review
Recommended Mitigation Steps
Dont transfer directly to the
tokenOwner
or theprojectAdmin
instead allow them to provide anaddress to
where the funds will be sentAssessed type
Token-Transfer