Summary

In the current implementation of the protocol, buyers and sellers rely on tokens for transactions within the platform. However, if blocklist and pausable tokens are used within these interactions, there may be disruptions that affect the stability, security, and overall efficiency of transactions. Tokens like USDC and USDT are examples of assets that can be paused or blocklisted at any time by the token issuer. This design may lead to issues in asset availability and, in some cases, render the protocol vulnerable to unexpected transaction failures.

Vulnerability Details

Blocklist Feature:

• Tokens such as USDC and USDT have a blocklist function that issuers can use to restrict certain addresses from transacting. If a buyer, seller, or even the protocol’s primary address gets blocklisted, it can render those funds inaccessible. Consequently, transactions that depend on these tokens may halt, affecting users’ ability to buy or sell assets.

Pausable Feature:

• These tokens can also be paused by their issuing authority, meaning all token transactions can be frozen at the issuer’s discretion. This pausing can occur for various reasons, including protocol upgrades, security issues, or regulatory intervention. If a transaction is attempted during a pause, it will fail, which could delay or prevent buyers and sellers from completing transactions. This feature adds significant unpredictability, as any dependency on these tokens could lead to unexpected downtime or even failed trades.

Impact on Asset Flow:

• The dependency on these types of tokens could lead to partial or complete transaction failure if a blocklist or pause event is triggered.

Impact

Disrupted Transactions: Buyers and sellers may face unexpected transaction failures when using pausable or blocklist-enabled tokens.

Tools Used

Manual Review

Recommendations

Consider adding functionality that allows switching to an alternative token if the primary token is paused or blocklisted. This mechanism could involve checking token status before each transaction or incorporating a backup liquidity pool with non-pausable tokens.