cats - User can front-run blacklisting mechanism to retain their tokens

[sherlock-admin2]

cats

medium

User can front-run blacklisting mechanism to retain their tokens

Summary

A user can prevent the admin blacklisting their address and removing their tokens by front-running the tx and transferring them to another address.

Vulnerability Detail

There is a blacklisting mechanism in the protocol and when a user is blacklisted, their tokens are transferred to the caller with BLACKLISTER_ROLE.

    function _onceBlacklisted(address user) internal override {
        _transfer(user, _msgSender(), balanceOf(user));
    }

    function addBlackList(
        address user
    ) public virtual onlyRole(BLACKLISTER_ROLE) {
        if (blacklisted(user)) revert AlreadyBlacklisted(user);
        _setBlacklist(user, true);
@>      _onceBlacklisted(user);
        emit AddedBlacklist(user);
    }

I believe the issue would usually be a low, but since funds are at risk of being removed, the user has incentive to front-run the blacklisting and transfer the funds to a different location to avoid losing them, which warrants medium.

Impact

User avoids funds being taken away by blacklisting.

Code Snippet

    function _onceBlacklisted(address user) internal override {
        _transfer(user, _msgSender(), balanceOf(user));
    }

    function addBlackList(
        address user
    ) public virtual onlyRole(BLACKLISTER_ROLE) {
        if (blacklisted(user)) revert AlreadyBlacklisted(user);
        _setBlacklist(user, true);
@>      _onceBlacklisted(user);
        emit AddedBlacklist(user);
    }

Tool used

Manual Review

Recommendation

Consider using private validators for blacklisting actions.

[sherlock-admin3]

2 comment(s) were left on this issue during the judging contest.

WangAudit commented:

acknowledged in one of the previous contests

takarez commented:

valid; high(1)