First Flight #3: Thunder Loan
First Flight #3
Beginner FriendlyFoundryDeFiOracle
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Allowlist removal can trap tokens - users lose money

Eric

Summary

A depositor can lose their tokens if that token is 'unallowed'

Vulnerability Details

Consider this example:

  • Protocol 'owner' calls setAllowedToken() for an ERC20 token we'll call 'SomeToken'

  • an arbitrary user deposits 1000 tokens of 'SomeToken'

  • Protocol 'owner' decides (or accidentally) calls setAllowedToken() again for 'SomeToken' but this time sets the 'allowed' bool value to 'false'

  • Whether it was borrowed against or not our user can no longer call redeem() to get their tokens back

Impact

Medium - Low risk of contract owner to do this but if they do then users can have a LOT of money frozen potentially indefinitely

Tools Used

Manual inspection

Recommendations

Many solutions depending on developer's preference but the most obvious is to remove the revertIfNotAllowedToken() modifier from the redeem() function.

Updates

Lead Judging Commences

0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Admin Input/call validation
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

centralized owners can brick redemptions by unallowing a token

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.