Tokens cannot be removed from Allowedlist once added

Question

Tokens cannot be removed from Allowedlist once added

howlbot-integration opened this issue 2 years ago · 4 comments

howlbot-integration commented 2 years ago

Lines of code

https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L364-L366

Vulnerability details

Impact

When a token is added to an allowed list, there should be a disallow function to be able to remove the token once the token does not meet regulations anymore or owner does not want it in the allowed list anymore.

In this protocol once the token is allowed, there is no way to disallow token

Proof of Concept

This is the function responsible for adding tokens to the allowed list

    function allowToken(address _token) external onlyAuthorized {
        isTokenAllowed[_token] = true;
    }

once the address of the token is passed, owner does not have any option to change the value to false.

Tools Used

manual analysis with vs code

Recommended Mitigation Steps

You can add a disallow function to remove tokens from the allowed list
like this;

    function disAllowToken(address _token) external onlyAuthorized {
        isTokenAllowed[_token] = false;
    }

Assessed type

Other

Answer 1 · 2024-05-19T04:23:28.000Z

This poses a security risk in case of malicious owner, since disallowedTokens can be withdrawn by owner

Answer 2 · 2024-05-31T08:21:36.000Z

koolexcrypto marked the issue as duplicate of #98

Answer 3 · 2024-05-31T08:22:39.000Z

koolexcrypto marked the issue as duplicate of #90

Answer 4 · 2024-05-31T08:47:43.000Z

koolexcrypto marked the issue as unsatisfactory:
Invalid