Closed sherlock-admin2 closed 9 months ago
Invalid. Recipient blacklisting only hurts themselves. As a side note, there are no plans to deposit blacklistable tokens into the escrow.
Invalid, blacklist only harming user not accepted based on sherlock rules. Additionally, only LUSD and DAI is supported both of which does nothave a black list mechanism
- User Blacklist: User getting blacklisted by a token/contract causing harm only to themselves is not a valid medium/high.
Bbash
medium
recoverERC20
function will fail if the recipient address gets blacklisted inVestingEscrow.sol
Summary
recoverERC20
function does not work if therecipient
address gets blacklistedVulnerability Detail
Some ERC-20 tokens, for example, USDC (which is used by the protocol) have the functionality to blacklist specific addresses, so that they are not allowed to transfer and receive tokens. Sending funds to these addresses will lead to a revert. The protocol claims to recover all types of ERC20 tokens. However, if the recipient gets blacklisted by USDC then the recipient will not be able to withdraw or recover these ERC20 tokens, and these tokens are stuck in the contract. Hence, the
recoverERC20
function will not work, and any USDC that is sent to this contract by anyone either intentionally or unintentionally (accidentally) will be locked.Impact
Any USDC that is sent to this contract will be stuck and there is no way to recover this.
Code Snippet
This is the instance of protocol claiming to recover all types of ERC20 tokens:
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/VestingEscrow.sol#L199
This is the function to recover all types of ERC20 tokens:
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/VestingEscrow.sol#L202
Tool used
Manual Review
Recommendation
Add
onlyRecipient
modifier and allow the recipient to pass a beneficiary address as a parameter for receiving the ERC20 token in therecoverERC20
function similar to theclaim
function instead of transferring directly to the recipient address.