Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Submission Details
Severity: low
Valid

Protocol has no way to update whitelisted tokens

Summary

Protocol only sets the whitelisted tokens only once and there is no updates capability
There is no way to add or remove tokens from whitelist

Vulnerability Details

The protocol owner only whitelists tokens at the deployments of the ProxyFactory.sol and there is no capability to update these tokens. Although tokens will be whitelisted e.g preference major coins as stated in @NatSpec constructor "e.g. USDC, JPYCv1, JPYCv2, USDT, DAI" ProxyFactory.sol line 77 and 78 it seems preference is stablecoins and major coins without specific policies on what type fo features e.g risks these coins must have. There could still arise problems with one or few coins or stablecoins or coins that have been whitelisted. Consider one of many example cases below.

  • Owner could consider USDT best coin and deploy with only this token. However Tether as centralized coin can be blocked or stopped due to reserve issues, depeg, legal or regulatory issues implying this projects only whitelisted token is not capable of being used in the protocol

  • Owner could deploy project with only [USDT, DAI, USDC] but majority sponsors prefer JPYCv1, JPYCv2 so no one will send funds to the Proxies to support the projects rendering the protocol/project useless

Impact

High Impact - this renders the protocol useless as it can not be funded for contests/innovations or pay out the various supporters/winners.

Tools Used

Manual Analysis

Recommendations

It is recommended to ensure protocol makes use of as many good coins as possible for whitelist to mitigate risks
It is recommended to ensure coins are chosen not because they are major coins as stated in their notes but because they have low risks that ensure continuity of protocol and project.
It is recommended to add access controlled owner only functionality to ProxyFactory.sol to add and remove tokens e.g

function addRemoveWhitelistToken(address _token, bool _addRemove) external onlyOwner {
whitelistedTokens[_token] = _addRemove;
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.