Skip to content

Latest commit

 

History

History
56 lines (37 loc) · 3.06 KB

093.md

File metadata and controls

56 lines (37 loc) · 3.06 KB

Thankful Arctic Shell

Medium

Stablecoin.erc20Rescue will bypass blacklist restrictions when rescuing standard tokens to blacklisted addresses

Summary

The missing blacklist validation in Stablecoin.erc20Rescue function will cause a violation of blacklist restrictions for the Stablecoin contract as SUPPORT_ROLE holders will be able to transfer standard tokens to blacklisted addresses using the Stablecoin.erc20Rescue function, effectively bypassing the blacklist validation that exists in stablecoin transfers

Root Cause

In contracts/stablecoin/Stablecoin.sol:154 the Stablecoin.erc20Rescue function lacks blacklist validation for the destination address. While the contract enforces blacklist restrictions in the Blacklist._update function for stablecoin transfers, the Stablecoin.erc20Rescue function can be used to bypass these restrictions for standard token transfers. This creates an inconsistency with the contract's core blacklist functionality which is meant to prevent any token transfers involving blacklisted addresses.

Internal pre-conditions

  1. A SUPPORT_ROLE holder needs to exist in the system to use Stablecoin.erc20Rescue
  2. A user address needs to be blacklisted via Blacklist.addBlackList
  3. The Stablecoin contract needs to have some standard tokens that belong to the blacklisted user or were meant to be rescued

External pre-conditions

None required as this is entirely contained within the protocol's control

Attack Path

  1. A user gets blacklisted through Blacklist.addBlackList
  2. Some standard tokens end up in the Stablecoin contract (either through direct transfer or other means)
  3. The SUPPORT_ROLE holder calls Stablecoin.erc20Rescue with the following parameters:
    • token: The token address to be rescued
    • destination: The blacklisted user's address
    • amount: The amount to be transferred
  4. The tokens are successfully transferred to the blacklisted address, bypassing the blacklist restrictions that are enforced in Stablecoin._update for stablecoin

Impact

The protocol suffers a security control bypass as blacklisted addresses, which are supposed to be completely restricted from receiving tokens, can still receive them through Stablecoin.erc20Rescue. This undermines the blacklisting mechanism which appears to be a core security feature of the protocol, potentially compromising compliance and regulatory requirements. While this requires SUPPORT_ROLE access, it creates an inconsistency in blacklist enforcement that could be exploited intentionally or accidentally.

PoC

Mitigation

Add blacklist validation to the Stablecoin.erc20Rescue function:

function erc20Rescue(
    ERC20PermitUpgradeable token,
    address destination,
    uint256 amount
) external onlyRole(SUPPORT_ROLE) {
    // Add blacklist check for destination
    if (blacklisted(destination)) revert Blacklisted(destination);
    
    token.safeTransfer(destination, amount);
}