FoundrySolidityLayer 2
7.25 ETH
Submission Details
Impact: low
Likelihood: low

Blacklisted attacker loses his reward

Author Revealed upon completion

USDC/USDT Blacklisted Attacker will lose rewards

Description

  • The Attacker is basically performing an onchain penetration test and succeed. However, Circle and Tether may blacklist addresses that are involved in onchain hacks in general. Even if they have a Battlechain agreement

  • This will make Attacker lose their bounty as transfer to their address fails.

Although Typically Invalid Categories in Docs contains "User self-harm through blacklisting"

This isn't self harm as Attacker is not trying to make himself blacklisted. The arrangement as a whole leads to him getting blacklisted and potentially getting stripped of his Bounty reward.

if (payout > 0) {
corruptedReserve -= payout; //@ is this ok zz
if (!claimsStarted) claimsStarted = true;
@> stakeToken.safeTransfer(attacker, payout);
//@audit it transfers JUST to attacker address instead of letting attacker decide recipent address
}
emit AttackerBountyClaimed(attacker, payout, newBountyClaimed, bountyEntitlement);
}

Risk

Likelihood:

  • Occurs fairly often provided Circle/ Tether's offchain mechanism automatically blacklists an attacker involved in a hack

  • Occurs in most tokens that have regulatory compliance to blacklist addresses involved in hacks

Impact:

  • Attacker cannot get his bounty

  • Agreement cannot be fulfilled

Proof of Concept

-

Recommended Mitigation

Add parameter to attacker controlled address and just verify msg.sender is attacker.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!