Platform: Code4rena
Start Date: 09/09/2022
Pot Size: $42,000 USDC
Total HM: 2
Participants: 101
Period: 3 days
Judge: hickuphh3
Total Solo HM: 2
Id: 161
League: ETH
Rank: 55/101
Findings: 1
Award: $33.58
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: GalloDaSballo
Also found by: 0x040, 0x1f8b, 0x4non, 0x52, 0x85102, 0xNazgul, 0xSky, 0xSmartContract, Aymen0909, Bnke0x0, CertoraInc, Chandr, Chom, CodingNameKiki, Deivitto, Diana, Funen, JC, Jeiwan, Junnon, KIntern_NA, Lambda, Mohandes, Noah3o6, Ocean_Sky, Picodes, R2, Randyyy, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Samatak, Sm4rty, SnowMan, SooYa, StevenL, Tagir2003, Tointer, TomJ, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ajtra, ak1, asutorufos, bharg4v, bobirichman, brgltd, c3phas, cccz, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dipp, djxploit, durianSausage, erictee, fatherOfBlocks, gogo, got_targ, hansfriese, horsefacts, hyh, ignacio, innertia, izhuer, karanctf, ladboy233, leosathya, lucacez, lukris02, mics, oyc_109, pashov, pauliax, prasantgupta52, rbserver, ret2basic, rfa, robee, rokinot, rotcivegaf, rvierdiiev, sach1r0, scaraven, sikorico, simon135, smiling_heretic, sorrynotsorry, unforgiven, wagmi, yixxas
33.5809 USDC - $33.58
Issues with future withdrawals
It is becoming increasingly common for jurisdictions throughout the world to create laws and regulations barring users from interacting with or receiving certain assets (i.e. tornado cash). TribeRedeemer.sol forces the redeeming user to receive payment as a basket of all assets. Currently there are no restrictions on assets but this contract is meant to be a permanent redemption for TRIBE and this could change during the lifetime of the contract.
Another thing to consider is that the stETH is an upgradeable ERC20 token. Currently it does not have a blacklist function but one could easily be implemented. This would open the possibility that TribeRedeemer could be blacklisted, blocking all interactions with stETH. In a situation like this, the contract would be inoperable and all funds in the contract would be permanently lost because the transfer of the blacklisted asset would always fail.
When redeeming their tribe, users should have the option to op out of receiving certain assets. Additionally the contract could be left under the control of the Tribe DAO to deal with a situation like this should it arise.
#0 - kryptoklob
2022-09-20T00:21:57Z
Not an issue; we don't intend to add this complexity for the possibility of the issues mentioned arising in the future.
#1 - HickupHH3
2022-09-28T03:14:00Z
hairy issue when regulations are brought into the picture. It would add complexity to the code and raises additional security concerns to handle these scenarios.
downgrading to QA because there is some merit to the issue.
#2 - HickupHH3
2022-09-28T03:14:21Z
user's primary QA