Platform: Code4rena
Start Date: 02/08/2023
Pot Size: $42,000 USDC
Total HM: 13
Participants: 45
Period: 5 days
Judge: hickuphh3
Total Solo HM: 5
Id: 271
League: ETH
Rank: 15/45
Findings: 1
Award: $476.03
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: bin2chen
Also found by: 0xbepresent, MatricksDeCoder
476.0281 USDC - $476.03
https://github.com/GenerationSoftware/pt-v5-cgda-liquidator/blob/7f95bcacd4a566c2becb98d55c1886cadbaa8897/src/LiquidationRouter.sol#L69 https://github.com/GenerationSoftware/pt-v5-vault-boost/blob/9d640051ab61a0fdbcc9500814b7f8242db9aec2/src/VaultBooster.sol#L173 https://github.com/GenerationSoftware/pt-v5-vault-boost/blob/9d640051ab61a0fdbcc9500814b7f8242db9aec2/src/VaultBooster.sol#L193
There are various tokens and token standards that can result in transfers being stopped, blocked, blacklisted, paused or disallowed. This entails protocols may function well with these tokens up until a time when any of above measures activated leading to inability to perform transfers into and out of the protocol
Tokens such as ERC20Pausable, Pausable Tokens like WBTC, ERC1400, Polymath like tokens; it implies the all instances mentioned in the links provided will not function for transfers. Whats worse is tokens with blacklisting capabilities may block contract addresses of protocol which renders them incapable to send and receive these tokens to function fully.
e.g in instances below IERC20(collateralAsset).safeTransfer(ROEROUTER.treasury(), feeAmount); // if collateralAsset is asset that can be paused for transfers then cant send fees to treasury
IERC20(_liquidationPair.tokenIn()).safeTransferFrom(... // LiquidationPair.sol cant transfer in tokenIn from user
_token.safeTransferFrom(msg.sender, address(this), _amount); // users cant deposit token into VaultBooster.sol contract that is used to liquidate arbitrary tokens for a vaul
_token.transfer(msg.sender, _amount); // users cant withdraw the token from VaultBooster.sol
...function liquidate(...) { ....IERC20(_tokenOut).safeTransfer(_account, _amountOut); } // users cant liquidate tokens
etc
Manual Analysis
It is recommended such tokens be disallowed from being used with the protocol Consider a whitelist of allowed tokens
Token-Transfer
#0 - c4-pre-sort
2023-08-07T22:24:07Z
raymondfam marked the issue as low quality report
#1 - raymondfam
2023-08-07T22:24:31Z
QA at best. The protocol isn't dealing with these tokens.
#2 - c4-pre-sort
2023-08-08T04:33:50Z
raymondfam marked the issue as duplicate of #92
#3 - c4-pre-sort
2023-08-08T04:34:05Z
raymondfam marked the issue as remove high or low quality report
#4 - c4-judge
2023-08-14T07:14:32Z
HickupHH3 marked the issue as satisfactory