Raspy Syrup Otter
Medium
Blacklisted user's tokens are transferred to BLACKLISTER_ROLE, which is not tracked ,and not repayed while unBlacklisting the same user
Vulnerability Detail
The addBlackList function in Blacklist.sol blacklists a user and transfers all tokens held by the user to the BLACKLISTER_ROLE address that invoked the function, as implemented in the _onceBlacklisted function. However, upon calling removeBlackList to remove a user from the blacklist, there is no tracking or repayment of the confiscated funds. This creates a risk of financial loss for users who are mistakenly blacklisted.
Impact
Medium. The financial impact on users could be significant if mistakenly blacklisted, though the blacklisting action is limited to a designated role.
Code Snippet Stablecoin.sol Blacklist.sol
Tool used
Manual Review
Recommendation
Event Logging During Transfer
To address this, it is recommended to emit an event logging the amount of tokens transferred during blacklisting to allow tracking of confiscated funds. Adding an event in _onceBlacklisted will create a transparent record of confiscated funds:
+ event BlacklistConfiscation(address blacklistedUser, address blacklister, uint256 amount);
function _onceBlacklisted(address user) internal override {
+ uint256 confiscatedAmount = balanceOf(user);
_transfer(user, _msgSender(), balanceOf(user));
+ emit BlacklistConfiscation(user, _msgSender(), confiscatedAmount);
}