search

sherlock-audit / 2024-06-velocimeter-judging

11 stars 7 forks source link

Minato7namikazi - unhandled case in the `whitelist` and `blacklist` functions #551

Closed sherlock-admin3 closed 3 months ago

sherlock-admin3 commented 3 months ago

Minato7namikazi

Medium

unhandled case in the whitelist and blacklist functions

Vulnerability Detail

unhandled case in the whitelist and blacklist functions:

function whitelist(address _token) public {
    require(msg.sender == governor);
    _whitelist(_token);
}

function _whitelist(address _token) internal {
    require(!isWhitelisted[_token]);
    isWhitelisted[_token] = true;
    emit Whitelisted(msg.sender, _token);
}

function blacklist(address _token) public {
    require(msg.sender == governor);
    _blacklist(_token);
}

function _blacklist(address _token) internal {
    require(isWhitelisted[_token]);
    isWhitelisted[_token] = false;
    emit Blacklisted(msg.sender, _token);
}

The bug here is that there's no mechanism to handle tokens that are part of existing pools when they are blacklisted. This can lead to a situation where:

  1. A token is whitelisted and used in pools.
  2. The token is later blacklisted.
  3. The existing pools with the now-blacklisted token continue to operate without any changes.

This scenario could potentially allow deprecated or problematic tokens to remain active in the system, which might not be the intended behavior when blacklisting a token.

To address this issue, we should add functionality to handle existing pools when a token is blacklisted. So we should

  1. Iterate through all existing pools.
  2. Check if the blacklisted token is part of each pool.
  3. If a pool contains the blacklisted token, pause its associated gauge.

Code Snippet

https://github.com/sherlock-audit/2024-06-velocimeter/blob/main/v4-contracts/contracts/Voter.sol#L301

Tool used

Manual Review

nevillehuang commented 3 months ago

Invalid, there is no exploit here. Whitelisting/Blacklisting mechanism is only meant to be use for gauge pool creation

Any users can create gauge for pools with whitelisted tokens on one side. (Permissionless gauge creation) Otherwise, gauge for pools without whitelisted tokens can only be created by protoc