Open hats-bug-reporter[bot] opened 9 months ago
Thank you for the feedback!
However, we have to dismiss this finding, because this is a latent issue for the entirety of DeFi and therefore common knowledge. We agree that usage of permissioned stable coins should be minimized but this is in the hands of the users to decide.
In your constructed example, the blacklisted caller can simply call the function from a different address. A much larger issue could happen if the Portal itself becomes blacklisted as it would break the functionality if the reward token is USDC/USDT - as is the case with the HLP Portal. However, there is nothing we can do about it.
We take your feedback as a feature request (send received tokens to a specific address) but it is not a vulnerability and the contract works as intended.
@PossumLabsCrypto
Thanks for the comment.
The issue should be considered here. convert()
is not converting any arbitrary amount to desired output token. It is taking AMOUNT_TO_CONVERT
which is said to be 100000 * 1e18, i.e. 100k tokens.
. This is big amount and and if the user would like to convert to USDC/USDT tokens which is most likely as these are most used tokens in crypto then the above explained issues may happen. It is true that we can not predict which address will be blacklisted by USDC/USDT but a future problem from happening could be solved by the given recommendation.
Adding a recipient address is not mere feature but its protecting the user from permanent function failure.
Such issues happening due to blacklisted feature of these tokens has been judged as High/Medium at sherlock and other platforms.
I politely request for the consideration of this issue.
Your request is well received. However, I suspect there is a misunderstanding.
The 100k tokens you mentioned are PSM tokens that have to be used in convert(). If the user in question was blacklisted by USDC/USDT, he could send PSM tokens to a different wallet and call the convert() from there without a problem.
Hence, accomodating for this in our smart contract is optional, i.e. regarded a feature request.
The proposed solution does not prevent or solve for the Portal itself being blacklisted which is the more severe risk.
(This risk is already partly mitigated by allowing the convert() function to target any token inside the Portal which accomodates a change in reward tokens by the underlying protocol - for example when the blacklisting practices of USDC/USDT become unnacceptable. Though, this is at the discretion of the underlying protocol that we build on.)
@PossumLabsCrypto
I understand your point. Since any address got blacklisted by USDC/USDT will only be known by transaction failure. The portal address has its specific use in protocol but the user can use his address for multiple things. I thought the user should be allowed to pass his desired recipient address and instead of doing multiple transaction for a same task, he could be able to do here in one transaction. imo low severity is still justified here
I thought the user should be allowed to pass his desired recipient address and instead of doing multiple transaction for a same task
You thinking that the user "should be able to do XYZ to have better UX" is the definition of a feature request. :)
Btw, I don´t debate that this is a useful feature. In fact, we do have this option in mintPortalEnergyToken() and burnPortalEnergyToken() already. However, when we talk about vulnerabilities, it simply does not fit the definition as everything works as intended. Thanks for understanding. 🤝
Github username: @0xRizwan Twitter username: 0xRizwann Submission hash (on-chain): 0x45ce79882357789c1dcb02d2c0ba756fa34ba788bb884bcf20736442900be509 Severity: medium
Description: Description\
In
Portal.sol
,convert()
is used to handle the arbitrage conversion of tokens inside the contract for PSM tokens. It means thatPSM_ADDRESS
will always be be the input hardcoded token address and whatever token address i.e output token that we want to receive after the the conversion.The issue here is with the output token(_token) like USDC, USDT.
USDC
tokens have ablacklist()
function which is used to blacklist any address by USDC admin. This can be checked here-#2Similarly,
USDT
tokens have aaddToBlockedList()
function which is used to blacklist any address by USDT admin. This can be checked here-#2It must be noted that USDC and USDT are widely used tokens in the crypto market.
Attachments
Consider a scenario,
1) User wants to convert his PSM tokens to USDC/USDT tokens by calling
convert()
2) Amount of tokens to be converted i.eAMOUNT_TO_CONVERT
is hardcoded as the user is only allowed to sweep entire balance for respective output tokens in one go. 3) The user address i,emsg.sender
is found to be blacklisted by USDC/USDT then the transactions will always revert. 4) While transferring the output token in case of USDC/USDT,USDC/USDT contracts always check whether the calling address i.e
msg.sender
is blacklisted or not.5) If this scenario happens which is very much likely the user won't be able to convert his tokens to USDC/USDT. It will break the one of the important functionality of contract.
This issue is identified as Medium severity as it falls in below category:
Recommend to allow the recipient address as function argument and allow user to transfer the output tokens to his desired address.