bahurum
commented
9 months ago If a blocklisted trader cannot recover the tokens to its address, than that is fine as that is how the blocklist works.
Open hats-bug-reporter[bot] opened 10 months ago
bahurum
commented
9 months ago If a blocklisted trader cannot recover the tokens to its address, than that is fine as that is how the blocklist works.
Github username: @PlamenTSV Twitter username: @p_tsanev Submission hash (on-chain): 0x5886ea0bd151fb54e00723243d790f7b019fdc275160256220bcf43bbc0589a3 Severity: high
Description: Description\ Popular tokens like USDC and USDT which are surely to be used here, as well as other stable coins, tend to contain blacklist/blocklist functionality, disallowing certain addresses from initiating transfers. If a user with a deposit gets blocked, he can never recover his funds.
Attack Scenario\ User A deposits, he gets block-listed. Thus any attempt to withdraw would fail. That is because even though you give him the ability to define a
traderaddress to receive the tokens, thattraderaddress is a part of the signature. Meaning that if a block-listed user tries to provide a non-blocklisted address to receive his tokens, his signature would fail and the tokens would remain stuck.Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)
Recommendation: do not include the
traderaddress into the digest. Instead include the address of the staker and check against it. This way a staker can have a valid signature and still provide an arbitrary address to receive his funds if he is blocked.