cawfree - Blacklisted accounts can still transact.

[sherlock-admin2]

cawfree

medium

Blacklisted accounts can still transact.

Summary

Accounts that have been blacklisted by the BLACKLISTER_ROLE continue to transact normally.

Vulnerability Detail

Currently, the only real effect of blacklisting an account is the seizure of Stablecoin funds:

/**
 * @notice Overrides Blacklist function to transfer balance of a blacklisted user to the caller.
 * @dev This function is called internally when an account is blacklisted.
 * @param user The blacklisted user whose balance will be transferred.
 */
function _onceBlacklisted(address user) internal override {
  _transfer(user, _msgSender(), balanceOf(user));
}

However, following a call to addBlackList(address), the blacklisted account may continue to transact using Stablecoin.

Combined with previous audit reports, which attest to the blacklist function's susceptibility to frontrunning, the current implementation of the blacklist operation can effectively be considered a no-op.

Impact

Medium, as this the failure of a manually administered security feature.

Code Snippet

📄 Stablecoin.sol

Tool used

Manual Review

Recommendation

ERC20s that enforce blacklists normally prevent a sanctioned address from being able to transact:

📄 Stablecoin.sol

+ error Blacklisted(address account);

+function _update(address from, address to, uint256 value) internal virtual override {
+
+  if (blacklisted(from)) revert Blacklisted(from); 
+  if (blacklisted(to)) revert Blacklisted(to);
+
+  super._update(from, to, value);
+}

[sherlock-admin4]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

valid; high(1)

[sherlock-admin4]

The protocol team fixed this issue in PR/commit https://github.com/telcoin/telcoin-contracts/pull/3.

[spacegliderrrr]

Fix looks good, blacklisted addresses can no longer send and receive tokens.

[sherlock-admin4]

The Lead Senior Watson signed off on the fix.