Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

USDC can't be claimed if the address is blacklisted

Beyond Audit

Summary:

In the claimProfit() function, you can withdraw all the profits you gathered since you enter the DAO. This value is linked to your address and only to your address (only msg.sender can withdraw).

Here's the snippet of claimProfit():

/// @notice Claim profits accumulated from the profit pool
/// @return profit The amount of profit claimed
function claimProfit() external returns (uint256 profit) {
profit = saveProfit(msg.sender);
require(profit > 0, "No profit available");
savedProfit[msg.sender] = 0;
@> IERC20(currency).safeTransfer(msg.sender, profit);
emit Claim(msg.sender, profit);
}

But if the user address is blacklisted for any reason (justified or NOT justified), the safetransfer will failed and the user profit will be stuck in the contract.

Neither the user or the protocol will be able to retrieve this value, making it lost forever.

Impact:

Value will be stuck forever in the DAO contract.

Recommandation:

Add an arbitrary address parameter to claimProfit() so the user can choose which address will interact with the ERC20 contract.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
0xbrivan2 Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.