Closed sherlock-admin2 closed 9 months ago
Invalid, black list harming only user is not valid based on sherlock rules
- Contract / Admin Address Blocklisting / Blacklisting / Freezing: If a protocol's smart contracts or admin addresses get added to a "blocklist" and the functionality of the protocol is affected by this blocklist, this is not considered a valid issue.
Chinmay
medium
mtFee can get locked forever if the MAINTAINER address is blacklisted by one of the tokens of a pool
Summary
The GSP pools intend to mostly use stablecoins like USDC etc. that might be centralized. If the USDC/ other token's operator blacklists the MAINTAINER address, then the mtFee for both the tokens will be locked forever in the contract.
Vulnerability Detail
The MAINTAINER address is meant to receive the mtFee (that DODO charges) for any swaps (sellBase / sellQuote) in the pool. But this address is hardcoded on pool initialization and if this address gets blacklisted in the future by any of the two assets' operators, then withdrawMtFeeTotal() function will be bricked permanently and fees for both assets will be stuck in the contract.
Impact
mtFee for both assets will be stuck in the contract.
Code Snippet
https://github.com/sherlock-audit/2023-12-dodo-gsp/blob/af43d39f6a89e5084843e196fc0185abffe6304d/dodo-gassaving-pool/contracts/GasSavingPool/impl/GSPVault.sol#L210
Tool used
Manual Review
Recommendation
Add a new function such that the owner can change the MAINTAINER address