Funds can be lost if any recipient or Owner is blacklisted
Summary
It is stated in the readme that the protocol will not accept fee on transfer tokens or re-basing tokens
Yet by using the popular tokens such as USDC, there exists a case where the funds for owner or recipient will locked permanently. This is due to the blacklist system which is implemented by USDC and many other popular well-reputed tokens.
in VestingEscrow.sol and VestingEscrowFactory.sol, if any of owner or recipient is blacklisted (due to illegal activities, using Tornado Cash for privacy reasons, spite by one of the them), the funds will be locked permanently.
Vulnerability Detail
In the VestingEscrow.sol contract, when an escrow is deployed,
if Owner wants to use revover or revoker functions or recipient wants call Claim functions in both case if they are blacklisted they will not able to retirve the tokens.
Blacklisting is certainly not uncommon and is used many of the popular token used for payments, such as the stablecoin USDC. An address can get blacklisted for illegal activities, some were blacklisted for just using tools like Tornado Cash to keep their transactions private
Impact
When this issue happens, all the funds in the contract are locked. And it will directly imapct the recipent and owner for their fund loss
A solution would be to implement a function to allow each recipient and owner are allowed to set another withdrawal address for their funds(respective fucntions), so even if they are blacklisted, they can at least withdraw those funds to another address.
0xlucky
medium
Funds can be lost if any recipient or Owner is blacklisted
Summary
It is stated in the readme that the protocol will not accept fee on transfer tokens or re-basing tokens
Yet by using the popular tokens such as USDC, there exists a case where the funds for owner or recipient will locked permanently. This is due to the blacklist system which is implemented by USDC and many other popular well-reputed tokens.
in VestingEscrow.sol and VestingEscrowFactory.sol, if any of owner or recipient is blacklisted (due to illegal activities, using Tornado Cash for privacy reasons, spite by one of the them), the funds will be locked permanently.
Vulnerability Detail
In the VestingEscrow.sol contract, when an escrow is deployed, if Owner wants to use revover or revoker functions or recipient wants call Claim functions in both case if they are blacklisted they will not able to retirve the tokens.
Blacklisting is certainly not uncommon and is used many of the popular token used for payments, such as the stablecoin USDC. An address can get blacklisted for illegal activities, some were blacklisted for just using tools like Tornado Cash to keep their transactions private
Impact
When this issue happens, all the funds in the contract are locked. And it will directly imapct the recipent and owner for their fund loss
Code Snippet
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/VestingEscrowFactory.sol#L82
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/VestingEscrow.sol#L140
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/VestingEscrow.sol#L172
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/VestingEscrow.sol#L187
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/VestingEscrow.sol#L209
Tool used
Manual Review
Recommendation
A solution would be to implement a function to allow each recipient and owner are allowed to set another withdrawal address for their funds(respective fucntions), so even if they are blacklisted, they can at least withdraw those funds to another address.
Duplicate of #31