Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

No Blocklist Check for USDC Transfers

ibukunola

Summary

The ZENO contract does not account for USDC’s blocklist feature, which can prevent transfers to certain addresses. If a user’s address is blocklisted, their ZENO tokens are burned during redemption, but the USDC transfer fails, leading to a complete loss of their position. This high-impact issue has a medium likelihood tied to external blocklisting events.

Vulnerability Details

USDC implements a blocklist that can restrict transfers to specific addresses. The redeem function lacks a check for this, burning ZENO tokens before ensuring the USDC transfer can succeed. For example:

A user holds 10,000 ZENO tokens.
Their address is blocklisted by USDC.
They attempt to redeem, ZENO is burned, but the USDC transfer fails.
The user loses their entire 10,000 ZENO position with no USDC received.

Impact

Blocklisted users lose their full ZENO holdings without compensation, a high-impact outcome. While the likelihood is medium (dependent on external blocklisting), the growing use of USDC’s blocklist feature increases this risk, potentially affecting multiple users and damaging the contract’s credibility.

Tools Used

Blockchain Data: Etherscan or USDC contract inspection to understand blocklist mechanics.

Recommendations

Add a pre-check for the USDC blocklist before burning tokens:

function redeem(uint amount) external nonReentrant {
uint256 usdcAmount = amount / 1e12;
require(
USDC.balanceOf(address(this)) >= usdcAmount &&
!IUSDCBlocklist(address(USDC)).isBlacklisted(msg.sender),
"USDC transfer would fail"
);
_burn(msg.sender, amount);
USDC.safeTransfer(msg.sender, usdcAmount);
}```
Updates

Lead Judging Commences

inallhonesty Lead Judge 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.