search

sherlock-audit / 2024-05-midas-judging

13 stars 6 forks source link

meltedblocks - Risk of USDC Blacklisting Breaking Protocol Flow #137

Closed sherlock-admin4 closed 6 months ago

sherlock-admin4 commented 6 months ago

meltedblocks

medium

Risk of USDC Blacklisting Breaking Protocol Flow

Summary

The USDC blacklisting feature can disrupt the protocol flow by preventing USDC transfers to blacklisted users during the redemption process.

Vulnerability Detail

USDC has a built-in blacklisting feature that can prevent certain users from receiving USDC tokens. This poses a significant risk to the protocol flow, particularly in the redemption process managed by RedemptionVault.sol. If a user holding mTBILL tokens is blacklisted in the USDC contract, the following issues arise:

  1. The user initiates a redemption transaction to exchange mTBILL for USDC.
  2. The redemption transaction proceeds as normal until the point where USDC needs to be transferred to the user.
  3. The transfer fails because the user is blacklisted, leaving the transaction incomplete and potentially locking the user's assets.

Impact

Medium

Code Snippet

Redeem function - https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/RedemptionVault.sol#L61

Blacklist feature in USDC contract:

/**
 * @dev Throws if argument account is blacklisted.
 * @param _account The address to check.
 */
modifier notBlacklisted(address _account) {
    require(
        !_isBlacklisted(_account),
        "Blacklistable: account is blacklisted"
    );
    _;
}

Tool used

Manual Review

Recommendation

Implement checks to ensure that users are not blacklisted before proceeding with the redemption process.