search

sherlock-audit / 2024-03-zap-protocol-judging

3 stars 1 forks source link

cryptonoob - Admin::addToBlackList doesnt provide a method to unblacklist user #125

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 7 months ago

cryptonoob

high

Admin::addToBlackList doesnt provide a method to unblacklist user

Summary

Admin::addToBlackList function does not implement a method to unblacklist users

This means that if an admin calls addToBlackList and blacklists an user by mistake the user is blacklisted forever and there is no way to undo the ban.

Vulnerability Detail

The vulnerability exists in Admin contract because it doesnt provide a way to remove a user from blacklist once is added: 

    function addToBlackList(
        address _instance,
        address[] memory _blacklist
    ) external override onlyIncoming(_instance) onlyExist(_instance) onlyRole(OPERATOR) {
        require(_blacklist.length <= 500, "TokenSale: Too large array");
        for (uint256 i = 0; i < _blacklist.length; i++) {
            blacklist[_instance][_blacklist[i]] = true;
        }
    }

Impact

The impact of this vulnerability is that if a user is blacklisted by mistake then is blacklisted forever from a tokenSale because there is no way to undo a blacklist action

Code Snippet

https://github.com/sherlock-audit/2024-03-zap-protocol/blob/c2ad35aa844899fa24f6ed0cbfcf6c7e611b061a/zap-contracts-labs/contracts/Admin.sol#L149-L163

Tool used

Manual Review

Recommendation

To mitigate this vulnerability it is recommended to add a new method to be able to remove from blacklist: 

    function removeFromBlackList(
        address _instance,
        address[] memory _blacklist
    )
        external
        override
        onlyIncoming(_instance)
        onlyExist(_instance)
        onlyRole(OPERATOR)
    {
        require(_blacklist.length <= 500, "TokenSale: Too large array");
        for (uint256 i = 0; i < _blacklist.length; i++) {
            blacklist[_instance][_blacklist[i]] = false;
        }
    }