sa9933 - NO check for blacklist contract in bridge contract

[sherlock-admin2]

sa9933

medium

NO check for blacklist contract in bridge contract

Summary

Blcaklist.sol is made in telcoin but only checks have been put in stablecoin.sol.

Vulnerability Detail

There is no check for Blacklist user by protocol in Bridge Realy.sol

Impact

Balcklisted user can transfer tokens through in bridge contract

Code Snippet

https://github.com/sherlock-audit/2024-02-telcoin-platform-audit-update/blob/main/telcoin-contracts/contracts/bridge/BridgeRelay.sol#L67

Tool used

Manual Review

Recommendation

check shoul be there ike stable coim

Duplicate of #4

[ABDuullahi]

Escalate

This should be invalid i believe, it lacks a thorough description of the main issue and how it could be exploited by an attacker/ malicious user.

[sherlock-admin2]

Escalate

This should be invalid i believe, it lacks a thorough description of the main issue and how it could be exploited by an attacker/ malicious user.

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

[WangSecurity]

I can see how it can be invalid, but decided to leave it as duplicate cause it mentioned the main problem that the blacklisted users can make transactions.

I think it should be invalid and escalation accepted.

[Czar102]

@ABDuullahi @WangSecurity can you further explain what is missing from this report that makes it invalid, apart from author's effort to communicate correctly?

[WangSecurity]

I guess the main reason is the quality of this report. It has lots of mistakes, and address the misimplementation in only one contract. Also, in Vulnerability Detail, they didn't even write the contract's name correctly (Bridge Realy.sol instead of BridgeRelay). Yes, it says that blacklisted users can freely interact with bridge relay contract, but I don't think this report deserves the reward, even tho we can say it's partially correct.

[ABDuullahi]

Well, nothing other than the report quality, taking a look at other duplicates, we can see that most of them mentioned the onset of the vulnerability with a thorough description of the issue and recommendation, had there been something like taking partial credit this would have been valid, but i for now dont think its fair to be a duplicate and share the same rewards as the other duplicates with thorough description of the bug.

[sa9933]

In the report , i have addressed the main issue of blacklisted user can still interact with the protocol , and has mentioned both BridgeRelay.sol and Stablecoin.sol. So factually i have addressed the issue and have mentioned the problem. Also not partially correct with only BridgeRelay.sol but Stablecoin.sol is also mentioned in report.

[Tendency001]

@Czar102 it will be unfair for this issue to be considered as a duplicate because it spoke about blacklist. From the report, you will notice he is talking about how the Bridge contract isn't making use of blacklist, he also suggested using blacklist in bridge as used in stablecoin contract, nothing in the report relates to the main issue.

[Czar102]

I agree with above arguments, planning to invalidate this report.

[sa9933]

@Czar102 @WangSecurity In the report actually the main issue is mentioned properly that blaclisted user can still interact with the protocol. i know report quality is low. i had submiited the wrong report here. You can also see my other report 80 which is proper and descriptive which was prior to this, how come i not make this one proper. By fortune i have properly and factually mentioned the main issue about blacklisted user in this report too. So i have found the issue in protocol. So you please consider this as a valid finding

[Czar102]

After additional discussions, I'm planning to leave the issue as is and reject the escalation. I will make sure basic report quality is enforced in the rules.

[Czar102]

Result: Medium Duplicate of #4

[sherlock-admin3]

Escalations have been resolved successfully!

Escalation status:

• ABDUullahi: rejected