Closed sherlock-admin2 closed 7 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
Invalid, there is no correlation between the two functions. blockAccountVersion()
is blocking account implementation version from being created as a new account, no relation to transfer of an account.
Topmark
medium
Blocked Accounts are not Checked before Transfer to New Innocent Users
Summary
Blocked Account are not Checked before Transfer to Innocent New Users
Vulnerability Detail
The code above from the factory contract shows the blockAccountVersion(...) function and how it is Implemented, it can be noted from the pointer how Blocked account Versions are set to true, but the problem is that none of this factors is put into consideration during account transfer to a new User as provided below from the same contract, this can be used to take advantage of innocent users who get this block data transfered to them with restrictions that affect flow of code execution
Impact
Blocked Account are not Checked before Transfer New Innocent Users
Code Snippet
https://github.com/sherlock-audit/2023-12-arcadia/blob/main/accounts-v2/src/Factory.sol#L297 https://github.com/sherlock-audit/2023-12-arcadia/blob/main/accounts-v2/src/Factory.sol#L222
Tool used
Manual Review
Recommendation
Arcadia Protocol should ensure necessary validation dis done to prevent transfer of already blocked account to new users I the Factory Contract