If a user gets blacklisted from usdc,they wont be able to withdraw usdc
Summary
Since _USER is a variable but there is no way to change the address, so if the address gets blacklisted it won't be able to withdraw usdc and it will be stuck in the contract
Vulnerability Detail
withdrawERC20 has onlyUser modifier so when the user gets blacklisted, the only to call this function is the user and since the blacklist is very possible the usdc can get stuck in the contract and there is no way for the user to get their funds out.
Impact
stuck funds
Code Snippet
address private _USER;
modifier onlyUser() {
require(_USER == msg.sender, "caller is not the user");
//different part of code
IERC20(_marginAddress).transfer(msg.sender, _marginAmount);
Tool used
Manual Review
Recommendation
have the function to change the user address
for have separate function for the owner to withdraw funds
simon135
high
If a user gets blacklisted from usdc,they wont be able to withdraw usdc
Summary
Since
_USERis a variable but there is no way to change the address, so if the address gets blacklisted it won't be able to withdraw usdc and it will be stuck in the contractVulnerability Detail
withdrawERC20hasonlyUsermodifier so when the user gets blacklisted, the only to call this function is the user and since the blacklist is very possible the usdc can get stuck in the contract and there is no way for the user to get their funds out.Impact
stuck funds
Code Snippet
Tool used
Manual Review
Recommendation
have the function to change the user address for have separate function for the owner to withdraw funds