User could get their funds stuck if they get blacklisted while also being greenlisted

Summary

Users who currently have the GREENLISTED_ROLE could also have the BLACKLISTED_ROLE at the same time, which would result in them being griefed their deposited funds to the protocol without receiving mTBILLs in return.

Vulnerability Detail

Issuing mTBILLs on-chain is a two-step process (not counting the KYC and other off-chain processes). Users who want to receive mTBILLs would first deposit USD to the protocol, and then the admin with the role M_TBILL_MINT_OPERATOR_ROLE would mint the mTBILL ERC20 Tokens for the user.

However, at the moment, there's nothing hindering a user to be both greenlisted and blacklisted at the same time leading to the following scenario:

When the user deposits their funds, only their GREENLISTED_ROLE is validated in the function as seen in the code below:

   function deposit(address tokenIn, uint256 amountUsdIn)
        external
        onlyGreenlisted(msg.sender)
        whenNotPaused
    { ... }

Only when the admin mints the mTBILLs (through the mint() function) is the BLACKLISTED_ROLE checked, but at that time - the funds have already been sent to the contract. The user is unable to get it back (such as calling the redeem() function) due to already being blacklisted and thus unable to interact with the mTBILLs ERC20 token.

Impact

As a result, the user will have lost their deposit without the means to get it back from the contract.

Code Snippet

https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/DepositVault.sol#L91-L94

Tool used

Manual Review

Recommendation

Add the modifier onlyNotBlacklisted to the deposit() function that validates that the user is not blacklisted.

Duplicate of #105

sherlock-audit / 2024-05-midas-judging

vangrim - User could get their funds stuck if they get blacklisted while also being greenlisted #139