search

sherlock-audit / 2024-02-telcoin-platform-audit-update-judging

3 stars 1 forks source link

ydlee - Blacklist users cannot get their tokens back when they are removed from blacklist. #44

Closed sherlock-admin2 closed 8 months ago

sherlock-admin2 commented 8 months ago

ydlee

high

Blacklist users cannot get their tokens back when they are removed from blacklist.

Summary

When a user is added to the blacklist, his token is transferred to the BLACKLISTER_ROLE, but when the user is later removed from the blacklist, his token is not returned. This may lead to a loss of tokens for the user.

Vulnerability Detail

While adding user to blacklist by addBlackList, callback function _onceBlacklisted get called.

    function addBlackList(
        address user
    ) public virtual onlyRole(BLACKLISTER_ROLE) {
        if (blacklisted(user)) revert AlreadyBlacklisted(user);
        _setBlacklist(user, true);
        _onceBlacklisted(user);  // @audit
        emit AddedBlacklist(user);
    }

https://github.com/sherlock-audit/2024-02-telcoin-platform-audit-update/blob/main/telcoin-contracts/contracts/util/abstract/Blacklist.sol#L72-L79

In the _onceBlacklisted callback, the blacklist user's tokens are totally transfered to the message sender that issues the transaction.

    function _onceBlacklisted(address user) internal override {
        _transfer(user, _msgSender(), balanceOf(user));   // @audit
    }

https://github.com/sherlock-audit/2024-02-telcoin-platform-audit-update/blob/main/telcoin-contracts/contracts/stablecoin/Stablecoin.sol#L123-L125

Blacklist contract allows to remove a user from blacklist by removeBlackList, however the users' tokens are not returned. This lead to a loss of tokens for the user.

    function removeBlackList(
        address user
    ) public virtual onlyRole(BLACKLISTER_ROLE) {
        if (!blacklisted(user)) revert NotBlacklisted(user);
        _setBlacklist(user, false);
        emit RemovedBlacklist(user);
    }

https://github.com/sherlock-audit/2024-02-telcoin-platform-audit-update/blob/main/telcoin-contracts/contracts/util/abstract/Blacklist.sol#L86-L92

Impact

When a user is removed from the blacklist, his tokens are not returned back, leading to a loss of tokens for the user.

Code Snippet

https://github.com/sherlock-audit/2024-02-telcoin-platform-audit-update/blob/main/telcoin-contracts/contracts/util/abstract/Blacklist.sol#L72-L79

https://github.com/sherlock-audit/2024-02-telcoin-platform-audit-update/blob/main/telcoin-contracts/contracts/stablecoin/Stablecoin.sol#L123-L12

https://github.com/sherlock-audit/2024-02-telcoin-platform-audit-update/blob/main/telcoin-contracts/contracts/util/abstract/Blacklist.sol#L86-L92

Tool used

Manual Review

Recommendation

Add a mapping to track the number of tokens the user has transferred to BLACKLISTER_ROLE when he is added to blacklist, and return them when the user are removed from the blacklist.

sherlock-admin2 commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

WangAudit commented:

Seems like a design decision + user's fault he got blecklisted