search

sherlock-audit / 2024-02-telcoin-platform-audit-update-judging

3 stars 1 forks source link

0rpse - addBlackList function can be front-run #50

Closed sherlock-admin2 closed 8 months ago

sherlock-admin2 commented 8 months ago

0rpse

medium

addBlackList function can be front-run

Summary

Users can watch the mempool and see if they are getting blacklisted, front-run this transaction to evade losing funds.

Vulnerability Detail

addBlackList function adds a malicious user to a blacklist and removes their funds, however a user can watch the mempool for this transaction and front-run it to transfer funds to another address.

Impact

Removal of funds upon blacklisting can be evaded.

Code Snippet

https://github.com/sherlock-audit/2024-02-telcoin-platform-audit-update/blob/21920190e0772afa18e7f856a036fea3ef5b9635/telcoin-contracts/contracts/util/abstract/Blacklist.sol#L72-L79

Tool used

Manual Review

Recommendation

Use a private mempool or revise blacklisting functionality. You could also use a front-running prevention service on polygon from bloxroute.

sherlock-admin2 commented 8 months ago

2 comment(s) were left on this issue during the judging contest.

WangAudit commented:

mentioned in the previous audit with a won't fix label

takarez commented:

invalid