Sparkn

Summary

USDC/USDT token has implemented an administratively owned blocklist feature effectively restricting users from transmitting or acquiring funds within this Token. This is important to consider as it was clarified that ERC20 stable coins such as USDC and USDT will be used in SPARKN.

Vulnerability Details

Note that https://github.com/d-xo/weird-erc20#tokens-with-blocklists shows that:

Some tokens (e.g. USDC, USDT) have a contract level admin controlled address blocklist. If an address is blocked, then transfers to and from that address are forbidden.

The vulnerability may arise when the supporters (winners in this case), or soponsors, are unaware of being included in the USDC/USDT blocklist, before receiving a prize, or when sending funds. Neither the Distributor.sol contract nor the ProxyFactory.sol currently incorporate proper verifications to mitigate this specific blocklist scenario.

Impact

Due to the lack of verification for the supporters and sponsors presence on the blocklist, the contract might be unable to distribute prizes or receive funds.

Tools Used

Static Review

Recommendations

To address this vulnerability, it is advisable to implement a check, (possibly within the distribute function of the Distributor.sol contract), specifically verifying whether the Token used has a blocklist and consequently checking that receiver/sender is not blacklisted.