Closed sherlock-admin closed 1 year ago
tsvetanovv
medium
The protocol currently uses any tokens:
ERC20: [ERC20: USDC, DAI, USDT, own DerbyToken and own VaultToken]
Some tokens (e.g. USDC, USDT) have a contract level admin controlled address blocklist. If an address is blocked, then transfers to and from that address are forbidden.
There are currently 200+ blacklisted accounts by USDC, these accounts are related to known hacks and other crime events. https://etherscan.io/address/0x5db0115f3b72d19cea34dd697cf412ff86dc7e1b.
In XProvider.sol malicious or compromised token owners can trap funds in a contract by adding the contract address to the blocklist.
XProvider.sol
https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/XProvider.sol#L147 https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/XProvider.sol#L329 https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/XProvider.sol#L574 https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/XProvider.sol#L583
Manual Review
Try to implement a try-catch solution where you skip certain funds whenever they cause the USDC transfer to revert.
Duplicate of #240
tsvetanovv
medium
Malicious user can Blocklists Token
Summary
The protocol currently uses any tokens:
Some tokens (e.g. USDC, USDT) have a contract level admin controlled address blocklist. If an address is blocked, then transfers to and from that address are forbidden.
Vulnerability Detail
There are currently 200+ blacklisted accounts by USDC, these accounts are related to known hacks and other crime events. https://etherscan.io/address/0x5db0115f3b72d19cea34dd697cf412ff86dc7e1b.
Impact
In
XProvider.solmalicious or compromised token owners can trap funds in a contract by adding the contract address to the blocklist.Code Snippet
https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/XProvider.sol#L147 https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/XProvider.sol#L329 https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/XProvider.sol#L574 https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/XProvider.sol#L583
Tool used
Manual Review
Recommendation
Try to implement a try-catch solution where you skip certain funds whenever they cause the USDC transfer to revert.
Duplicate of #240