Platform: Code4rena
Start Date: 24/02/2022
Pot Size: $30,000 USDC
Total HM: 0
Participants: 28
Period: 3 days
Judge: Jack the Pug
Id: 95
League: ETH
Rank: 2/28
Findings: 1
Award: $3,484.08
π Selected for report: 0
π Solo Findings: 0
π Selected for report: hickuphh3
Also found by: 0x1f8b, 0xwags, Dravee, IllIllI, Omik, Rhynorater, Ruhum, TerrierLover, cccz, cmichel, csanuragjain, defsec, gzeon, jayjonah8, kenta, kirk-baird, kyliek, leastwood, minhquanym, pedroais, peritoflores, robee, securerodd
3484.084 USDC - $3,484.08
https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v2/FiatTokenV2.sol#L623-L631 https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v2/FiatTokenV2.sol#L295-L306
The V2 fiat token contract builds upon USDC's implementation through a simple whitelisting feature. The whitelister role can enable specific accounts to transfer tokens of value greater than 100000e18. However, it is possible to bypass this behaviour by breaking up transfers, approvals and mints into smaller amounts.
Let's consider someone who wants to transfer 100001e18 tokens. They can break up the transfer into two smaller transfers consisting of size 100000e18 and 1e18. As a result, the user was able to transfer more than the restricted amount.
Manual code review.
Consider redesigning this mechanism to better keep track of how much value has been sent by a single account.
#0 - 0xywzx
2022-03-01T02:58:10Z
Thank you for your issue.
We won't be implementing whitelist in this version, so we'll refer to it when I actually deploy whitelist.
#1 - jack-the-pug
2022-03-11T17:16:16Z
I would say this is how this feature is designed: it's designed to restrict the max value allowed to be sent in a single transaction. While it's true that one can send more with more transactions, however, it's not part of the design afaics.
Furthermore, I don't think there is a way to mitigate this "issue", the recommended mitigation won't fix it, as one can always create more wallets and "bypass" this restriction again.
I'm making this a low as it's still valuable for raising a noteworthy concern.
#2 - CloudEllie
2022-03-24T14:12:49Z
Since this issue was downgraded to a QA level, and the warden did not submit a separate QA report, we've renamed this one to "QA report" for consistency.
The original title, for the record, was "Users Can Bypass Whitelisting Restrictions."