Flawed Whitelisted Address Validation Allows Unauthorized Transfers in `TEMPLEGOLD` Contract Break's the TGLD main invariant
Summary
The _update function in your Solidity contract checks whether both from and to addresses are not whitelisted before allowing a transfer. However, if either the from or to address is whitelisted, the transfer is permitted, potentially allowing transfers to non-whitelisted addresses when from is authorized.
Vulnerability Details
The vulnerability lies in the conditional check:
This check ensures that neither from nor to addresses are whitelisted. However, this logic allows transfers if either from or to is authorized. If from is authorized, the transfer can occur regardless of whether to is authorized.
Impact
This logic flaw could allow transfers to unauthorized addresses when the sender (from) is whitelisted. This could potentially bypass intended restrictions on token transfers to ensure compliance with regulatory requirements or project-specific rules.
Unauthorized Transfers: The current implementation allows transfers to occur even if the sender (from address) is whitelisted, but the recipient (to address) is not. This violates the intended restriction where transfers should only occur between whitelisted addresses. Unauthorized transfers could potentially lead to tokens being sent to addresses that are not intended to hold the tokens
Tools Used
Manual review
Recommendations
Update Conditional Check: Modify the conditional check in _update to ensure that both from and to addresses are authorized for the transfer to proceed:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.