s0x0mtee - Blacklisted addresses can still call/interact with Telcoin core/swap functions

[sherlock-admin2]

s0x0mtee

Medium

Blacklisted addresses can still call/interact with Telcoin core/swap functions

Summary

Stablecoin.sol enforeces blacklist functionality by restricting the _update() for users who have been added to blacklist hence any transaction to and from their address will be restricted, but blacklisted users can still make calls to swap functions such as stablecoinSwap() with the help of delegate calls through contracts that have been funded with eXYZ tokens or other DeFi tokens. The blacklisted wallets will be able to by pass the onlyRole(SWAPPER_ROLE) since the modifer uses msg.sender(which would be the blacklisted address and not the external delegate contract) to check if addresses calling these functions are allowed to, which blacklisted addresses still have.https://github.com/sherlock-audit/2024-11-telcoin/blob/b9c751b59e78a7123a636e31ecafc9147046f190/telcoin-audit/contracts/stablecoin/StablecoinHandler.sol#L144-L181

Root Cause

• Lack of checks for calls made by blacklisted addresses in each swap function.

Internal pre-conditions

1. Blacklisted address uses an external funded address to make delegate calls to Telcoins functions

External pre-conditions

No response

Attack Path

No response

Impact

The blacklisted address can still carry out nefarious activities in the telcoin ecosystem

PoC

No response

Mitigation

No response