MorpheusAI

Summary

in the withdraw function tokens are transferred directly to the users address
as shown below

Vulnerability Details

while withdrawing tokens are transferred to the user directly, however, if the users address has been blacklilsted by say USDC this will always revert and user will not be able to withdraw

below is a POC of how such a scenario might happen

User Contribution:

Users deposit stETH into the Smart Contract.
Daily Yield Distribution:

The daily yield generated from the deposited stETH is distributed.
50% of the yield is used to purchase tokens in the open source project.
Token Purchase with USDC:

The purchased tokens are bought using USDC. This may involve swapping stETH for USDC and then using the USDC to acquire the open source project's native token.
AMM Trading Pair Liquidity:

The purchased tokens (native token of the open source project) are contributed to an AMM trading pair as Protocol Owned Liquidity.
Remaining stETH:

The other 50% of the daily yield remains as stETH.
AMM Liquidity for stETH:

The remaining stETH is added to an AMM as the other half of the trading pair as Protocol Owned Liquidity.
Token Emission to Contributors:

The open source project emits its native token to the contributor of the yield on a daily basis.

In summary, if the open source project utilizes USDC and users are contributing stETH, the process involves converting stETH to USDC to purchase the open source project's native token

Tools Used

manual analysis

Recommendations

Allow users to withdraw instead of sending them directly or prevent blacklisted users from participating