First Flight #16: Mafia Takedown

First Flight #16

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Potential Risks in Handling USDC within Protocol (Blacklists, Low Decimals, Transfer Fees)

Mill

Summary

The Mafia Protocol, as detailed in the provided README, may encounter significant issues when interacting with USDC due to potential blocklists, low decimals, and transfer fees. These vulnerabilities could lead to the protocol being compromised or funds being trapped, affecting the security and functionality of the protocol.

Vulnerability Details

Tokens with Blocklists
Some tokens, such as USDC, have an admin-controlled address blocklist. If the contract address gets added to this blocklist, transfers to and from the address are prohibited. This scenario can arise due to regulatory actions, malicious behavior, or compromised token owners, resulting in trapped funds within the contract.

Low Decimals
USDC has a low decimal count (6), and other tokens can have even fewer decimals. This can cause unexpected precision loss during calculations and transfers, potentially leading to significant discrepancies in token balances and values within the protocol. The protocol also implemented a MockUSDC contract for local testing but the mocked contract doesn't have the correct token decimal (6) and instead uses the default (18) which could cause problems if not handled carefully.

Fee on Transfer
Certain tokens impose transfer fees. While USDC does not currently charge a fee, it may implement one in the future. This behavior can lead to unanticipated deductions from token transfers, disrupting expected transaction amounts and protocol functionality.

Impact

These vulnerabilities could lead to:

Trapped Funds: Blocklisting the contract address can make all USDC funds irretrievable. (The anti-mafia agency could use this to prevent withdrawals)
Precision Loss: Low decimals can result in incorrect balances and value calculations. (The protocol doesn't perform any advanced calculations at this point)
Unexpected Deductions: Transfer fees can disrupt transaction integrity, leading to potential financial loss. (If the USDC contract gets upgraded on mainnet for example)

Tools Used

Manual Code Review: To assess the integration of USDC and other token characteristics.

Recommendations

Blocklist Mitigation:

Use multiple token options and fallback mechanisms.

Transfer Fee Consideration:

Check for the transferFee parameter in token contracts.
Implement checks and balances to account for potential transfer fees.

Decimal Handling:

Change the MockUSDC contract to

contract MockUSDC is ERC20 {

constructor() ERC20("USDC", "USDC") {

_mint(msg.sender, 1_000_000e6);

}

+ function decimals() public view virtual override returns (uint8) {

+ return 6;

+ }

}

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Too generic

Assigned finding tags:

USDC handling

Mill Submitter

about 1 year ago

n0kto Lead Judge

about 1 year ago

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

UDSC blacklist

Rewards breakdown

nSLOC

205

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.