Blacklisted USDC User Unable to Receive Collateral Tokens
Summary
The AaveDIVAWrapperCore contract allows USDC as a collateral token. However, USDC has the ability to blacklist addresses, preventing them from transferring tokens. If a user is blacklisted by USDC, they will be unable to withdraw their collateral tokens from the contract, leading to a loss of funds. This creates a significant risk for users interacting with the contract.
Vulnerability Details
The vulnerability arises from the reliance on USDC as a collateral token. USDC has a built-in blacklisting feature that allows the issuer to freeze or block transactions from specific addresses. If a user's address is blacklisted, any attempt to transfer USDC to or from that address will fail.
In the AaveDIVAWrapperCore contract, when a user attempts to withdraw their collateral tokens (e.g., via _redeemWTokenPrivate or _removeLiquidity), the contract transfers USDC from the contract to the user's address. If the user's address is blacklisted, the transfer will revert, and the user will be unable to retrieve their funds.
The issue is particularly problematic because the contract does not account for the possibility of blacklisting. There is no mechanism to handle such scenarios, leaving users vulnerable to permanent loss of funds if they are blacklisted.
Impact
Users who are blacklisted by USDC will be unable to withdraw their collateral tokens, resulting in a permanent loss of funds.
Tools Used
Manual Review
Recommendations
Introduce a fallback mechanism to handle cases where a user's address is blacklisted. For example allow the contract owner or a governance mechanism to manually return funds to an alternative address provided by the user.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.