USDC implements blacklist to address. Blocked addresses are blocked from sending / receiving tokens.
The bridging process could take days for some chain to finalize.
During this time if the _withdrawData.receiver gets blacklisted, the usdc amount in the source chain gets lost since there isn't any way to return the funds if the call in the destination chain reverts due to the address getting blacklisted (to maybe comply with OFAC sanctions).
Internal pre-conditions
None
External pre-conditions
The receiver address gets blacklisted.
PoC
User calls transaction to bridge usdc.
Sometimes the transaction takes a few days to finalize.
In that time if the receiver address gets blacklisted then it wouldn't be possible for the address to receive the usdc which causes the transaction to revert.
Hence the usdc would be locked in the source chain or it could either block the bridge since the nonce wouldn't increment because the transaction would revert.
Bouncy Butter Cat
Medium
USDC could get stuck if address is blacklisted or block bridge.
Summary
The user could lose the funds sent if, in the duration it takes to bridge, the destination address gets blacklisted.
Root Cause
https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/sol-cc/contracts/SolConnector.sol#L81
USDC implements blacklist to address. Blocked addresses are blocked from sending / receiving tokens.
The bridging process could take days for some chain to finalize. During this time if the
_withdrawData.receivergets blacklisted, the usdc amount in the source chain gets lost since there isn't any way to return the funds if the call in the destination chain reverts due to the address getting blacklisted (to maybe comply with OFAC sanctions).Internal pre-conditions
None
External pre-conditions
The receiver address gets blacklisted.
PoC
Mitigation
No response