Closed sherlock-admin4 closed 5 months ago
dvyneEth
high
Transfer of token to a blocklisted user
The withdrawToken function in ManageableVault.sol which is called by a vault admin allows the transfer of token to blocklisted accounts
withdrawToken
ManageableVault.sol
https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/abstract/ManageableVault.sol#L92-L100
Manual Review
check if the withdrawTo is blocklisted
function withdrawToken( address token, uint256 amount, address withdrawTo ) external onlyVaultAdmin { onlyNotBlacklisted(withdrawTo); IERC20(token).safeTransfer(withdrawTo, amount); emit WithdrawToken(msg.sender, token, withdrawTo, amount);
dvyneEth
high
TRANSFER TO BLACKLISTED USER
Summary
Transfer of token to a blocklisted user
Vulnerability Detail
The
withdrawTokenfunction inManageableVault.solwhich is called by a vault admin allows the transfer of token to blocklisted accountsImpact
Code Snippet
https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/abstract/ManageableVault.sol#L92-L100
Tool used
Manual Review
Recommendation
check if the withdrawTo is blocklisted