If an address gets Blacklisted by any asset tokens, there can be loss of funds
Summary
There exists a potential risk of fund loss if critical addresses involved in the protocol, such as the Trove, depositVault, withdrawalVault, or the admin/owner addresses, are blacklisted by any of the asset tokens like USDC used within the system.
Vulnerability Details
Asset tokens like USDC might have built-in blacklisting capabilities that can restrict transactions from certain addresses. If critical system addresses are blacklisted, it may result in the inability to execute transactions involving these tokens like depositing/withdrawing/compounding rewards... Since smart contracts cannot react to or mitigate the effects of being blacklisted post-facto, this could lead to a situation where funds are effectively stuck without any recourse.
The depositor can still chose the token we wants to withdraw in, but loses amount equal to EXECUTION_FEE if he withdraws in a token where his address is blacklisted.
Impact
The impact of such blacklisting could be severe:
Operational Disruption: The protocol's normal operations, such as deposits, withdrawals, and internal compounding/rebalancing, could be halted.
Loss of Funds: Users might lose access to their funds if they are held in addresses that are blacklisted.
Tools Used
Manual review
Recommendations
Allow every address used by the Vault to be updatable by a dedicated admin/Owner. For now, only the Trove address is updatable.
Implement a multisig for owner access
Lead Judging Commences
DOS for the tokens with a blacklist
Impact: High Likelihood: Low
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.