Blacklisted USDC recipient will forever DoS
Summary
Whenever the vault is USDC and we want to DoS the app via it, we set the recipient to a known USDC blacklisted address, given that there is a curPositionKey when withdrawing
This will then fill out the flow and flowId, preventing the users of the app interacting with functions such as deposit() and withdraw() as they have noneFlow() inside them.
run() and claimCollateralRebates() also contain noneFlow()
If the admin decides to nullify flow and flowId, the user will invoke instantly withdraw() again, fill those two variables and preventing deposit() and withdraw() for other users, as well as runNextAction() will always be occupied with that malicious withdraw
Impact
There will be a DoS of the app permanently as the user will just spam withdraw() with the malicious recipient.
Tools Used
Manual review
Recommendations
Create a check that disallow malicious addresses to be used as recipient
Lead Judging Commences
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.