Blocklisted users can't withdraw their USDC in `ZENO` contract
Summary
From Weird erc20 tokens
Some tokens (e.g.
USDC,USDT) have a contract level admin controlled address blocklist. If an address is blocked, then transfers to and from that address are forbidden.Malicious or compromised token owners can trap funds in a contract by adding the contract address to the blocklist. This could potentially be the result of regulatory action against the contract itself, against a single user of the contract (e.g. a Uniswap LP), or could also be a part of an extortion attempt against users of the blocked contract.
Vulnerability Details
A user buys zeno token in Auction
The user is not blacklisted so they can buy
The auction ends, and now users can redeem their zeno token
Meanwhile, the user is blocklisted
Impact
Users won't be able to redeem USDC tokens, and they will be stuck forever since there is no other way to withdraw those tokens
Tools Used
Manual Review
Recommendations
Add a function trusted actor that can redeem trapped funds, or do not use tokens that have a blocklist
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.