hats-finance / Euro-Dollar-0xa4ccd3b6daa763f729ad59eae75f9cbff7baf2cd

Audit competition repository for Euro-Dollar (0xa4ccd3b6daa763f729ad59eae75f9cbff7baf2cd)
https://hats.finance
MIT License
0 stars 0 forks source link

Bypass of Blacklist via void Function in Validator #78

Open hats-bug-reporter[bot] opened 1 day ago

hats-bug-reporter[bot] commented 1 day ago

Github username: -- Twitter username: 4n0n_x Submission hash (on-chain): 0xe89316f61cbe0531bea147aff5576e14a7a75dc5387913aa8dd12f86ca3fcb0f Severity: medium

Description: Description\ The void function in Validator is controlled by the WHITELISTER_ROLE, allowing any user with this role to reset an account's status. This can lead to blacklisted accounts being reset to VOID status, effectively bypassing the blacklist restrictions.

Impact\ A user with WHITELISTER_ROLE could accidentally or intentionally reset blacklisted accounts, allowing restricted addresses to bypass security measures, which undermines the integrity of the blacklist.

Recommendation\

Modify the void function to check that only users with the BLACKLISTER_ROLE can void blacklisted accounts, and only users with the WHITELISTER_ROLE can void whitelisted accounts.


require(
    hasRole(BLACKLISTER_ROLE, msg.sender) && accountStatus[account] == Status.BLACKLISTED ||
    hasRole(WHITELISTER_ROLE, msg.sender) && accountStatus[account] == Status.WHITELISTED,
    "Not authorized to void"
);
AndreiMVP commented 5 hours ago

The WHITELIST_ROLE can also set the status to WHITELISTED which would have the same effect. Thus this is intended behavior.