search

sherlock-audit / 2023-12-dodo-gsp-judging

6 stars 5 forks source link

Chinmay - mtFee can get locked forever if the MAINTAINER address is blacklisted by one of the tokens of a pool #65

Closed sherlock-admin2 closed 9 months ago

sherlock-admin2 commented 9 months ago

Chinmay

medium

mtFee can get locked forever if the MAINTAINER address is blacklisted by one of the tokens of a pool

Summary

The GSP pools intend to mostly use stablecoins like USDC etc. that might be centralized. If the USDC/ other token's operator blacklists the MAINTAINER address, then the mtFee for both the tokens will be locked forever in the contract.

Vulnerability Detail

The MAINTAINER address is meant to receive the mtFee (that DODO charges) for any swaps (sellBase / sellQuote) in the pool. But this address is hardcoded on pool initialization and if this address gets blacklisted in the future by any of the two assets' operators, then withdrawMtFeeTotal() function will be bricked permanently and fees for both assets will be stuck in the contract.

Impact

mtFee for both assets will be stuck in the contract.

Code Snippet

https://github.com/sherlock-audit/2023-12-dodo-gsp/blob/af43d39f6a89e5084843e196fc0185abffe6304d/dodo-gassaving-pool/contracts/GasSavingPool/impl/GSPVault.sol#L210

Tool used

Manual Review

Recommendation

Add a new function such that the owner can change the MAINTAINER address

nevillehuang commented 9 months ago

Invalid, black list harming only user is not valid based on sherlock rules

  1. Contract / Admin Address Blocklisting / Blacklisting / Freezing: If a protocol's smart contracts or admin addresses get added to a "blocklist" and the functionality of the protocol is affected by this blocklist, this is not considered a valid issue.