Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Whitelisted tokens cannot be changed

peanuts

Summary

Whitelisted tokens cannot be changed. If there is an issue with a token, say a token-depeg scenario, and the protocol doesn't want the organizers/sponsors to use that token anymore, the protocol team cannot change the whitelisted tokens.

Vulnerability Details

In ProxyFactory.sol, the whitelisted tokens are sent as inputs in a constructor:

constructor(address[] memory _whitelistedTokens) EIP712("ProxyFactory", "1") Ownable() {
if (_whitelistedTokens.length == 0) revert ProxyFactory__NoEmptyArray();
for (uint256 i; i < _whitelistedTokens.length;) {
if (_whitelistedTokens[i] == address(0)) revert ProxyFactory__NoZeroAddress();
whitelistedTokens[_whitelistedTokens[i]] = true;
unchecked {
i++;
}
}
}

The whitelisted tokens are then stored in the mapping as shown below:

mapping(address => bool) public whitelistedTokens;

There is no way that anyone can change the whitelistedTokens anymore. In order to change it, the whole ProxyFactory must be overhauled, which is pretty troublesome to do.

Impact

Whitelisted tokens cannot be delisted and new tokens cannot be whitelisted, limiting the flexibility of the protocol. If JPYC decides to have a new version, or USDC/USDT decides to upgrade, then the protocol cannot change accordingly

Tools Used

Manual Review

Recommendations

As the owner is already a centralization risk, there isn't more harm in letting the owner set the whitelisted tokens since the owner has to be trusted anyways. The added function should look something like this, where the owner can update the whitelistedTokens mapping easily.

function updateWhitelist(address token, bool update) public onlyOwner {
whitelistedTokens[token] = update;
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.