there's no functionality provided by the protocol to unwhitelist whitelisted items incase
Summary
There are lots of whitelisted items in the BlueBerryBank.sol
Vulnerability Detail
There's whitelistedTokens, whitelistedWrappedTokens, whitelistedSpells, whitelistContracts in the BlueBerryBank.sol but there's no provided way to unwhitelist whitelisted items.. The users/protocol might have a change of heart with one of their whitelisted items and there will be no way to unwhitelist them.
I also noticed the protocol implemented whitelistContracts(), whitelistSpells() and whitelistTokens() in a strange way.
i.e the according to this comment by the dev
/// @param statuses list of statuses to change to
The status can be changed to false in order to unwhitelist them but it doesn't make sense because you'll end up reentering the already whitelisted items back into their respective mappings this will consume space and confuse the contract because one item will likely have 2 different bool value (i.e it will be set to true on one storage slot and false on another).
Pls check my recommendation on how to properly unwhitelist items.
Impact
The protocol won't be able to unwhitelist faulty contracts, spells e.t.c.
Let say a vuln was maybe discovered in a certain whitelisted contract the project/user/owner won't be able to unwhitelist them.
or maybe a whitelisted contract is later discovered to be malicious, they won't be able to unwhitelist them.
provide functions to unwhitelist whitelisted items by calling them by their idx from their whitelist mappings and changing their bool values to false, also implement access control on these functions pls.
PRAISE
medium
there's no functionality provided by the protocol to unwhitelist whitelisted items incase
Summary
There are lots of whitelisted items in the BlueBerryBank.sol
Vulnerability Detail
There's whitelistedTokens, whitelistedWrappedTokens, whitelistedSpells, whitelistContracts in the BlueBerryBank.sol but there's no provided way to unwhitelist whitelisted items.. The users/protocol might have a change of heart with one of their whitelisted items and there will be no way to unwhitelist them.
I also noticed the protocol implemented
whitelistContracts(),whitelistSpells()andwhitelistTokens()in a strange way. i.e the according to this comment by the devThe status can be changed to false in order to unwhitelist them but it doesn't make sense because you'll end up reentering the already whitelisted items back into their respective mappings this will consume space and confuse the contract because one item will likely have 2 different bool value (i.e it will be set to true on one storage slot and false on another). Pls check my recommendation on how to properly unwhitelist items.
Impact
The protocol won't be able to unwhitelist faulty contracts, spells e.t.c. Let say a vuln was maybe discovered in a certain whitelisted contract the project/user/owner won't be able to unwhitelist them. or maybe a whitelisted contract is later discovered to be malicious, they won't be able to unwhitelist them.
Code Snippet
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/BlueBerryBank.sol#L66-L69
Tool used
Manual Review
Recommendation
provide functions to unwhitelist whitelisted items by calling them by their
idxfrom their whitelist mappings and changing their bool values to false, also implement access control on these functions pls.