Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Inadequate Handling of Tokens with Blacklisting Functionality in configureCollateralLiquidationPriority Function

cybrid

Summary

The configureCollateralLiquidationPriority function in the contract does not check whether the tokens provided in the collateralTypes array have blacklisting functionality as seen in the common USDC token. This omission can lead to significant security and operational issues if any of the tokens can blacklist addresses, including the protocol's address.

Vulnerability Details

The configureCollateralLiquidationPriority function allows the contract owner to set the priority of collateral types for liquidation. However, it does not perform a check to determine if any of the tokens in the collateralTypes array have blacklisting functionality.

Code snippet:

function configureCollateralLiquidationPriority(address[] calldata collateralTypes) external onlyOwner {
if (collateralTypes.length == 0) {
revert Errors.ZeroInput("collateralTypes");
}
GlobalConfiguration.Data storage globalConfiguration = GlobalConfiguration.load();
globalConfiguration.configureCollateralLiquidationPriority(collateralTypes);
emit LogConfigureCollateralLiquidationPriority(msg.sender, collateralTypes);
}

Vulnerability:

  • The code does not include a check for whether any of the collateralTypes addresses have blacklisting functionality.

  • If the protocol's address is blacklisted by any of these tokens, it will be unable to interact with them, which can lead to various operational disruptions.

Impact

  • Operational Disruption: If the protocol's address is blacklisted by any token in the collateralTypes, it will be unable to handle these tokens, leading to failures in collateral management and liquidation processes.

  • Loss of Funds: User funds could be locked or become inaccessible if they are in the form of blacklisted tokens, potentially causing a loss of user confidence and financial loss.

Tools Used

Manual Code Review: The vulnerability was identified through a manual review of the configureCollateralLiquidationPriority function.

Recommendations

1. Check for Blacklisting Functionality: Implement a check to determine if any of the tokens in the collateralTypes array have blacklisting functionality. This can be done by attempting to call a known function that indicates blacklisting capability, such as collateralType(address).**isBlacklisted(account) **as seen in the USDC token contract.

function isBlacklistable(address collateralType, address account) internal view returns (bool) {
try IBlacklistable(collateralType).isBlacklisted(account) returns (bool) {
return true;
} catch {
// Token does not support blacklisting
return false;
}
}

If the collateral type has the isBlacklisted() function, it returns true regardless of whether the account is blacklisted or not. If the function does not exist, it returns false, indicating that the function selector does not exist.

2. Regular Audits: Regularly audit the protocol to ensure no changes in the token standards or blacklisting functionalities could impact the protocol.

3. Audit Token contract before adding: Before adding a token contract, the owner should manually review the contract to verify any form of blacklisting functionality.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!