Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

No mechanism to remove whitelist Tokens, if a token becomes undesirable or deprecated.

affanimran1303

Summary:

Once a token is whitelisted, it cannot be removed from the whitelist. This could be problematic if a token becomes undesirable or deprecated.

Vulnerability Details:

During contract initialization when a token is whitelisted, there’s no mechanism to remove it later. What if that token becomes obsolete, compromised, or became unwanted? This could pose risks to protocol and might be to the users as well.

Impact:

  • Unwanted or obsolete tokens are of no use for the protocol and users.

Tools Used:

  • Manual Testing.

  • Foundry.

Recommended Mitigation:

  • First add a function to get the whitelist tokens, restricting it to onlyHost depends on the protocol and use case.

function isWhitelisted(address _token) external view returns (bool) {
return whitelisted[_token];
}

  • Then, add a privileged function that will be restricted to host to remove a token from the whitelist. None of the participants will be allowed to access this function, and any whitelisted token will be removed.

function removeWhitelistedToken(address _token) external onlyHost {
whitelisted[_token] = false;
}

Proof Of Code:

Below is a test function that shows that a participant (i.e. a non-host person) cannot remove the whitelist token. Proving that removeWhitelistedToken can only be accessed by host.

function testRemoveWhitelistedToken() public {
// Ensure WBTC is whitelisted initially
bool isWhitelisted = cd.isWhitelisted(address(wbtc));
assertTrue(isWhitelisted);
vm.prank(user1);
cd.removeWhitelistedToken(address(wbtc));
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.