pkqs90 - `mTBILL` blacklisted users can still successfully call the `transferFrom()` function

[sherlock-admin3]

pkqs90

medium

mTBILL blacklisted users can still successfully call the transferFrom() function

Summary

The README states that users with the BLACKLISTED_ROLE should Cannot access the mTBILL contract. However, the blacklisted user is still able to call transferFrom().

Vulnerability Detail

The blacklist check is only restricted during the _beforeTokenTransfer function. However, the user can still call transferFrom(), which means as long as another mTBILL holder approves the blacklisted user of some allowance, the blacklisted user can spend it on his behalf.

https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/mTBILL.sol

    function _beforeTokenTransfer(
        address from,
        address to,
        uint256 amount
    )
        internal
        virtual
        override(ERC20PausableUpgradeable)
>       onlyNotBlacklisted(from)
>       onlyNotBlacklisted(to)
    {
        ERC20PausableUpgradeable._beforeTokenTransfer(from, to, amount);
    }

https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/v4.9.0/contracts/token/ERC20/ERC20Upgradeable.sol#L163C1-L168C6

    function transferFrom(address from, address to, uint256 amount) public virtual override returns (bool) {
        address spender = _msgSender();
        _spendAllowance(from, spender, amount);
        _transfer(from, to, amount);
        return true;
    }

Note: even though USDT is implemented in the same way, the README clearly states that blacklisted users Cannot access the mTBILL contract, which conflicts with the user being able to call transferFrom().

Impact

Blacklisted users can still access the transferFrom() function of mTBILL.

Code Snippet

• https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/mTBILL.sol#L90-L102

Tool used

Manual review

Recommendation

Add a blacklist check for the caller in transferFrom().