search

sherlock-audit / 2024-02-telcoin-platform-audit-update-judging

3 stars 1 forks source link

blutorque - Missing blacklist check beforeTokenTransfer allows anyone to bypass the blacklist mechanism #41

Closed sherlock-admin4 closed 8 months ago

sherlock-admin4 commented 8 months ago

blutorque

medium

Missing blacklist check beforeTokenTransfer allows anyone to bypass the blacklist mechanism

Summary

See Detail.

Vulnerability Detail

A user can be blacklisted, restricting any stablecoin transfer from that address. Currently, due to the absence of a check before the token transfer, a blacklisted address can transfer from/to without restriction.

Impact

Bypassing the blacklist mechanism.

Code Snippet

https://github.com/sherlock-audit/2024-02-telcoin-platform-audit-update/blob/main/telcoin-contracts/contracts/stablecoin/Stablecoin.sol https://github.com/sherlock-audit/2024-02-telcoin-platform-audit-update/blob/main/telcoin-contracts/contracts/util/abstract/Blacklist.sol#L62

Tool used

Manual Review

Recommendation

In Stablecoin.sol, override _beforeTokenTransfer to add the following check; 

require(!blacklisted(destination), "Stablecoin: destination cannot be blacklisted address");

Duplicate of #4

sherlock-admin2 commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

valid; high(1)