clems4ev3r
commented
1 year ago Only Circle can add contracts to USDC blacklists, this is very unlikely
Closed github-actions[bot] closed 1 year ago
clems4ev3r
commented
1 year ago Only Circle can add contracts to USDC blacklists, this is very unlikely
hrishibhat
commented
1 year ago Agree with Lead Watson comment
tsvetanovv
medium
Malicious user can Blacklists Token
Summary
The protocol currently uses these tokens:
USDC have a contract level admin controlled address blocklist. If an address is blocked, then transfers to and from that address are forbidden.
Vulnerability Detail
There are currently 200+ blacklisted accounts by USDC, these accounts are related to known hacks and other crime events. https://etherscan.io/address/0x5db0115f3b72d19cea34dd697cf412ff86dc7e1b.
Impact
Malicious or compromised token owners can trap funds in a contract by adding the contract address to the blocklist.
Code Snippet
https://github.com/sherlock-audit/2023-02-carapace/blob/main/contracts/core/pool/ProtectionPool.sol#L1038 https://github.com/sherlock-audit/2023-02-carapace/blob/main/contracts/core/pool/ProtectionPool.sol#L269 https://github.com/sherlock-audit/2023-02-carapace/blob/main/contracts/core/pool/ProtectionPool.sol#L443
Tool used
Manual Review
Recommendation
Try to implement a try-catch solution where you skip certain funds whenever they cause the USDC transfer to revert.