search

sherlock-audit / 2023-06-dinari-judging

5 stars 4 forks source link

0xMosh - Cancelation of order will fail If the recipient is added to the USDC blacklist. #113

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

0xMosh

medium

Cancelation of order will fail If the recipient is added to the USDC blacklist.

Summary

cancelOrder() will send the USDC to the recipient, if the recipient is added to the USDC blacklist, then cancelOrder() will not work.

Vulnerability Detail

The cancelOrder function cancels an order and sends the escrowed tokens to the user . Consider a scenario where if the operator intends to call cancelOrder function to cancel the order, a malicious recipient can block the address from receiving USDC by adding it to the USDC blacklist (e.g. by doing something malicious with that address, etc.), which prevents the Protocol from canceling the Order.

Impact

A malicious recipient may prevent the protocol from cancelling malicious orders .

Code Snippet

The inherited cancelOrder function from OrderProcessor.sol in SellOrderProcessor.sol will fail due to the circumstancess

This is where the transaction fails : 

  IERC20(orderRequest.assetToken).safeTransfer(orderRequest.recipient, refund);

https://github.com/sherlock-audit/2023-06-dinari/blob/main/sbt-contracts/src/issuer/SellOrderProcessor.sol#L150

Tool used

Manual Review

Recommendation

Instead of sending tokens directly to recipient, consider storing the number of tokens in variables and having the recipient claim it later

Duplicate of #57