Open sherlock-admin2 opened 3 months ago
Nice issue. I missed the escalation period but still want to make a comment - should this therotically be medium instead of high, since it won't cause a direct loss of funds or non-material losses?
Nice issue. I missed the escalation period but still want to make a comment - should this therotically be medium instead of high, since it won't cause a direct loss of funds or non-material losses?
Although i have missed this finding But I think the High is appropriate because the user can easily bypass the blacklist status.
Drynooo
high
Malicious users can bypass the blacklist.
Summary
The protocol sets the blacklist through roles, and users can bypass the blacklist through the renounceRole function.
Vulnerability Detail
mTBILL does not allow blacklisted users to transfer funds.
But it is implemented in the form of giving BLACKLISTED_ROLE.
The AccessControlUpgradeable contract has a renounceRole function, through which users can give up their BLACKLISTED_ROLE, thereby bypassing the blacklist.
Impact
Malicious users can bypass the blacklist.
Code Snippet
Tool used
Manual Review
Recommendation
It is recommended not to use roles to implement blacklists.