Submission Details
Severity:
Stuck funds for `auctionToken` blacklisted recipients
Summary
claimTokens() function directly performs token transfers to the caller. However, these tokens could be those with blacklist functionality such as USDC. If this is the case, the transfer will always revert if the user is blacklisted by the auctionToken.
Vulnerability Details
function claimTokens() external {
---SNIP---
uint256 claimable = userBids.mul(multiplier).div(PRECISION_18);
bids[msg.sender] = 0;
>> auctionToken.transfer(msg.sender, claimable);
emit TokensClaimed(msg.sender, claimable);
}
As seen, the claimable amount will be sent to the caller direcly (msg.sender).
Impact
The problem however stems from the fact that the caller, could be blacklisted by the auctionToken resulting in a revert by the transfer function.
Tools Used
Manual Review
Recommendations
Let the caller of claimTokens() provide a to address to receive the tokens.
- function claimTokens() external {
+ function claimTokens(address to) external {
---SNIP---
uint256 claimable = userBids.mul(multiplier).div(PRECISION_18);
bids[msg.sender] = 0;
- auctionToken.transfer(msg.sender, claimable);
+ auctionToken.transfer(to, claimable);
emit TokensClaimed(msg.sender, claimable);
}
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
66230
USDC / LOC
16,000 USDC
2,500 USDC
1,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.