Summary

The transfer of ERC-20 tokens with blacklist functionality is not taken into account.

Vulnerability Details

Impact

A potential issue with the current approach is that if a user is blacklisted, it can lead to a Denial-of-Service (DoS) scenario for the entire system. This happens because the status cannot be updated to "Open" until the blacklisted user is removed. Resolving this situation might take an indefinite amount of time, creating an urgent need for the owners to take emergency actions.

Tools Used

Manual

Recommendations

Instead of directly transferring ERC-20 tokens to a user within the operational functions, consider implementing a two-step process for added security. You could create a dedicated contract with the sole purpose of managing assets and maintaining a record of authorized addresses along with their corresponding token withdrawal allowances. During the execution of process functions, the funds could be routed to this new contract along with the necessary authorization details. This approach introduces an additional layer of control, allowing you to confine any potential Denial-of-Service (DoS) impact to specific blacklisted users. Meanwhile, the system can seamlessly continue its normal operation for users who are unaffected by such restrictions. This strategy enhances overall security by isolating potential issues and ensuring uninterrupted service for users not subject to restrictions.