DoS can be implemented via blacklisted ERC

Summary

Malicious user can DoS via passing blacklisted token + curator/referrer address.

Vulnerability Detail

In Axis user can pass arbitrary token address. Addresses of curator/referrer also provides by user. Malicious actor can create EMPAM with token that has blacklist functionality. That can affect all functionality with transfers to curator/referrer.

For example, in function settle there is no possible to settle auction because _sendPayout(feeData.curator, curatorFeePayout, routing, auctionOutput) will revert.

Malicious actor can create many lots with attractive prices and bidders will lock their liquidity for lots that will never completed successfully.

Impact

High. Users will wait for something that will never happen.

Code Snippet

https://github.com/sherlock-audit/2024-03-axis-finance/blob/cadf331f12b485bac184111cdc9ba1344d9fbf01/moonraker/src/AuctionHouse.sol#L551

function settle(uint96 lotId_) external override nonReentrant {
        // Validation
        _isLotValid(lotId_);

...
                // Send refund and payout to the bidder
                Transfer.transfer(
                    routing.quoteToken, settlement.pfBidder, settlement.pfRefund, false
                );
                _sendPayout(settlement.pfBidder, settlement.pfPayout, routing, auctionOutput);
            }
...
            // Reduce funding by curator fee and send, if applicable
            if (curatorFeePayout > 0) {
                unchecked {
                    routing.funding -= curatorFeePayout;
                }
                _sendPayout(feeData.curator, curatorFeePayout, routing, auctionOutput);
            }

Tool used

Manual Review

Recommendation

Consider check that curator is not in blacklisted. Or implement transfer function to curator via separate funciton.

Duplicate of #90

sherlock-audit / 2024-03-axis-finance-judging

poslednaya - DoS can be implemented via blacklisted ERC #241