Submission Details
Severity:
Proxy address can be blocklisted by Token like USDC
Summary
Proxy address can be blocklisted by Token like USDC
Vulnerability Details
Proxy address can be predicted before cause of salt is emitted across chain.Using this parameter to know the address ahead and can be forced to blocklist by malicious actors sending dangerous tokens
Impact
Proxy contract wont be able to transfer its tokens to winners.
//USDC blacklisted test...
/* function testRevertIfTheProxyIsBlackListed() public setUpContestForJasonAndSentUSDCToken(organizer) {
// before
assertEq(mockUsdc.balanceOf(user1), 0 ether);
assertEq(mockUsdc.balanceOf(stadiumAddress), 0 ether);
bytes32 randomId_ = keccak256(abi.encode("Jason", "001"));
bytes memory data = createData();
//somehow malicious user force proxy address to get blacklisted...
vm.startPrank(tokenMinter);
mockUsdc.setBlackList(proxyAddress_1);
vm.stopPrank();
vm.warp(9 days); // 9 days later
vm.startPrank(organizer);
vm.expectRevert();
proxyFactory.deployProxyAndDistribute(randomId_, address(distributor), data);
vm.stopPrank();
} */
Here's simple mockUSDC contract i made
//! USDC with Blacklisting ability...
/* pragma solidity 0.8.18;
import {ERC20} from "openzeppelin/token/ERC20/ERC20.sol";
import {Ownable} from "openzeppelin/access/Ownable.sol";
/*
* @title MockUSDC
* @author CodeFox
* @dev this is a random ERC20 token for testing purposes
* This can be supposed to be an stable coin in the current system
*/
/*
contract MockUSDC is ERC20, Ownable {
error MockUSDC__AmountMustBeMoreThanZero();
error MockUSDC__AddressBlackListed();
mapping(address=>bool) public blackListed;
constructor(string memory name, string memory symbol) ERC20(name, symbol) {
_mint(msg.sender, 100000 * 10 ** decimals());
}
function mint(address _to, uint256 _amount) external onlyOwner returns (bool) {
if (_amount == 0) {
revert MockUSDC__AmountMustBeMoreThanZero();
}
_mint(_to, _amount);
return true;
}
function setBlackList(address _blackListedAddress) public onlyOwner {
blackListed[_blackListedAddress]=true;
}
function transfer(address to, uint256 amount) public virtual override returns (bool){
if(blackListed[msg.sender]) revert MockUSDC__AddressBlackListed();
super.transfer(to,amount);
return true;
}
function transferFrom(address from, address to, uint256 amount) public virtual override returns (bool){
if(blackListed[from]) revert MockUSDC__AddressBlackListed();
super.transferFrom(from,to,amount);
return true;
}
} */
Tools Used
Foundry Test suite
Recommendations
Before sending usdc token check the proxy address if its address blocklisted .
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
19477 USDC / LOC
14,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.