sherlock-audit / 2024-02-telcoin-platform-audit-update-judging

3 stars 1 forks source link

cawfree - Blacklisted accounts can still transact. #4

Open sherlock-admin2 opened 7 months ago

sherlock-admin2 commented 7 months ago

cawfree

medium

Blacklisted accounts can still transact.

Summary

Accounts that have been blacklisted by the BLACKLISTER_ROLE continue to transact normally.

Vulnerability Detail

Currently, the only real effect of blacklisting an account is the seizure of Stablecoin funds:

/**
 * @notice Overrides Blacklist function to transfer balance of a blacklisted user to the caller.
 * @dev This function is called internally when an account is blacklisted.
 * @param user The blacklisted user whose balance will be transferred.
 */
function _onceBlacklisted(address user) internal override {
  _transfer(user, _msgSender(), balanceOf(user));
}

However, following a call to addBlackList(address), the blacklisted account may continue to transact using Stablecoin.

Combined with previous audit reports, which attest to the blacklist function's susceptibility to frontrunning, the current implementation of the blacklist operation can effectively be considered a no-op.

Impact

Medium, as this the failure of a manually administered security feature.

Code Snippet

📄 Stablecoin.sol

Tool used

Manual Review

Recommendation

ERC20s that enforce blacklists normally prevent a sanctioned address from being able to transact:

📄 Stablecoin.sol

+ error Blacklisted(address account);

+function _update(address from, address to, uint256 value) internal virtual override {
+
+  if (blacklisted(from)) revert Blacklisted(from); 
+  if (blacklisted(to)) revert Blacklisted(to);
+
+  super._update(from, to, value);
+}
sherlock-admin4 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

valid; high(1)

sherlock-admin4 commented 7 months ago

The protocol team fixed this issue in PR/commit https://github.com/telcoin/telcoin-contracts/pull/3.

spacegliderrrr commented 7 months ago

Fix looks good, blacklisted addresses can no longer send and receive tokens.

sherlock-admin4 commented 7 months ago

The Lead Senior Watson signed off on the fix.