006.md

Hidden Basil Cricket

Medium

removeBlackList will not return the user funds back which was taken at the time of blacklisting

Summary

When a user is blacklisting, their entire balance is taken, this balance should be returned back to user when removeBlacklist is called but it is not the case here.

Root Cause

In Blacklist.sol:removeBlacklist`, the seized funds are not returned back to user.

Internal pre-conditions

addBlacklist function seize the user balance using _onceBlacklisted function.

function addBlackList(
        address user
    ) public virtual onlyRole(BLACKLISTER_ROLE) {
        if (blacklisted(user)) revert AlreadyBlacklisted(user);
        _onceBlacklisted(user);
        // do this after so it doesnt trip blacklisted restirctions
        _setBlacklist(user, true);
        emit AddedBlacklist(user);
    }

 function _onceBlacklisted(address user) internal override {
        _transfer(user, _msgSender(), balanceOf(user));
    }

There is a function removeBlacklist which can be used to remove the user from blacklist but this function doesn't return the seized funds back to user, essentially leading to the loss of fund for user.

  function removeBlackList(
        address user
    ) public virtual onlyRole(BLACKLISTER_ROLE) {
        if (!blacklisted(user)) revert NotBlacklisted(user);
        _setBlacklist(user, false);
        emit RemovedBlacklist(user);
    }

External pre-conditions

No response

Attack Path

1. BLACKLISTER calls addBlacklist to blacklist user.
2. User is now blacklisted and his funds are seized.
3. after someone BLACKLISTER release that he made a mistake on blacklisting a user.
4. He call removeBlacklist to remove a genuine user from blacklist.
5. The user is removed from blacklist but his funds seized earlier are never returned.

Impact

User funds will get lost.

PoC

No response

Mitigation

removeBlacklist should return user funds.