0xdice91 - Blacklisted `accounts` can still send and receive tokens.

[sherlock-admin]

0xdice91

medium

Blacklisted accounts can still send and receive tokens.

Summary

Blacklisted accounts can still send and receive tokens because it is not checked before transfers.

Vulnerability Detail

In TransferRestrictor.sol the function requireNotRestricted() is used to ensure that a blacklisted account cannot send or receive tokens.

 function requireNotRestricted(address from, address to) external view virtual {
        // Check if either account is restricted
        if (blacklist[from] || blacklist[to]) {
            revert AccountRestricted();
        }
        // Otherwise, do nothing
    }

This function also is used in BridgedERC20._beforeTokenTransfer() with some additional checks.

 function _beforeTokenTransfer(address from, address to, uint256) internal virtual override {
        // Restrictions ignored for minting and burning
        // If transferRestrictor is not set, no restrictions are applied
        if (from == address(0) || to == address(0) || address(transferRestrictor) == address(0)) {
            return;
        }

        // Check transfer restrictions
        transferRestrictor.requireNotRestricted(from, to);
    }

The issue here is that calls to _beforeTokenTransfer() or requireNotRestricted() are not done before transfers, especially between the users and protocol to prevent blacklisted accounts from transferring.

Impact

Blacklisted accounts can still interact with the protocol leading to unexpected security risks.

Code Snippet

https://github.com/sherlock-audit/2023-06-dinari/blob/main/sbt-contracts/src/TransferRestrictor.sol#L53-L59

https://github.com/sherlock-audit/2023-06-dinari/blob/main/sbt-contracts/src/BridgedERC20.sol#L127-L136

Tool used

Manual Review

Recommendation

Calls to _beforeTokenTransfer() or requireNotRestricted() should be added to vital functions to ensure safety and prevent blacklisted users from calling them.