Open sherlock-admin2 opened 7 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
valid; high(1)
The protocol team fixed this issue in PR/commit https://github.com/telcoin/telcoin-contracts/pull/3.
Fix looks good, blacklisted addresses can no longer send and receive tokens.
The Lead Senior Watson signed off on the fix.
cawfree
medium
Blacklisted accounts can still transact.
Summary
Accounts that have been blacklisted by the
BLACKLISTER_ROLE
continue to transact normally.Vulnerability Detail
Currently, the only real effect of blacklisting an account is the seizure of
Stablecoin
funds:However, following a call to
addBlackList(address)
, the blacklisted account may continue to transact usingStablecoin
.Combined with previous audit reports, which attest to the blacklist function's susceptibility to frontrunning, the current implementation of the blacklist operation can effectively be considered a no-op.
Impact
Medium, as this the failure of a manually administered security feature.
Code Snippet
📄 Stablecoin.sol
Tool used
Manual Review
Recommendation
ERC20s that enforce blacklists normally prevent a sanctioned address from being able to transact:
📄 Stablecoin.sol