A blacklisted address can result in unforeseen errors
Summary
A blocklisted address can result in unforeseen errors.
Vulnerability Details
https://github.com/d-xo/weird-erc20#tokens-with-blocklists
Certain tokens, such as USDC and USDT, feature a contract-level admin-controlled address blacklist. When an address is blacklisted, all transfers to and from that address are prohibited.
In the event that a user invokes functions like deposit, redeem, or flashloan, the transactions will fail if the user's address is on the blacklist. If a user deposits tokens and their address is subsequently added to the blacklist, the funds will become permanently locked within the asset contract.
Impact
deposit,redeem,flashloan etc
Tools Used
Manual Review
Recommendations
Ensure that the receiver is not blacklisted when depositing or withdrawing tokens. Alternatively, implement an expiry check. If the receiver fails to claim the funds after the specified expiry period, allow a special account to burn their asset tokens in exchange for the funds.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.