Open hats-bug-reporter[bot] opened 1 month ago
Hey there,
The following should be considered low at most because:
This issue is of Medium severity as originally submitted and judged. The end user is affected here due to his address being blacklisted. This make me him impossible to unstake from Inverter contracts. Sending the stakes tokens to users own address i.e msg.sender is actually a limitation and could act as barrier here due to blacklisting issue. Practically, this issue would also have adverse impact on Inverter staking contract as unstake would fail in above issue. Recommendation is simple to follow i.e allowing recipient address to get back the staked tokens, the recipient address could be msg.sender himself if he is not blacklisted or some of his desired address. I believe, Medium severity is justified here.
I know where you are coming from but we currently dont want to get into the topic of circumventing blacklist restrictions, as we dont know the size of the topic yet
@NicolaMirchev @FHieser thank you, I think low label is good for this issue.
As the following:
Issue impact is high and severity is confirmed to be Medium. Will wait for @FHieser, based on our last discussion on this topic.
We acknowledge this issue as Medium severity. In addition to this issue in audit report, we will add the disclaimer for users in case of USDC/USDT risks.
Github username: @0xRizwan Twitter username: 0xRizwann Submission hash (on-chain): 0xcc5288cac2a3745a964f41e886a1bf16b3c7238ee2fde72e52333d7bd5130de4 Severity: medium
Description: Description\
LM_PC_Staking_v1.sol
contract provides a mechanism for users to their tokens to earn rewards. This is done by callingLM_PC_Staking_v1.stake()
function. When the users wants to get back their staked tokens with rewards,LM_PC_Staking_v1.unstake()
can be called by users.Per the discussion with protocol team, its understood that
LM_PC_Staking_v1
admin is free to consider any token asstakingToken
except FOT/rebasing/callback tokens.This issue is specifically for tokens like USDC which has a blacklist() function and it is used to blacklist any address by USDC admin. This can be checked here
The contracts will be deployed on Optimism,Polygon, linea.
Consider below scenario to understand the issue better:
1)
LM_PC_Staking_v1
is deployed on Optimism and admin has considered USDC as `stakingToken.2) Alice wants to stake her USDC so she calls
LM_PC_Staking_v1.stake()
and transfer the USDC toLM_PC_Staking_v1
contract.3) After few days/months, Alice decides to unstake the staked tokens i.e to get back USDC from
LM_PC_Staking_v1
so she callsLM_PC_Staking_v1.unstake()
. Alice finds that her address is blacklisted by USDC.4) When
LM_PC_Staking_v1
contract ties to transfer the USDC to Alice address:The transaction fails as the transfer function checks the recipient address is blacklisted or not.
Below is the transfer method of USDC,
USDC notBlacklisted() modifier,
So the USDC transfer in our case will awalys revert and Alice wont be able to get back her staked USDC.
Impact\ Users wont be able to get back their deposited stakingToken i.e USDC/USDT if their address is blacklisted as
LM_PC_Staking_v1
can not transfer USDC to blacklisted address.Recommendation to fix\ Recommend to allow the recipient address as function param in
LM_PC_Staking_v1.unstake()
function.For example:
Note: If the above change is consider then reward recipient should also be changed in
_distributeRewards()