Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Anirruth - USDC could get stuck if address is blacklisted or block bridge. #162

Open
sherlock-admin2 opened this issue Oct 27, 2024 · 0 comments
Open

Anirruth - USDC could get stuck if address is blacklisted or block bridge. #162

sherlock-admin2 opened this issue Oct 27, 2024 · 0 comments
Labels
Sponsor Confirmed The sponsor acknowledged this issue is valid

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Oct 27, 2024
edited by sherlock-admin4
Loading

Anirruth

Medium

USDC could get stuck if address is blacklisted or block bridge.

Summary

The user could lose the funds sent if, in the duration it takes to bridge, the destination address gets blacklisted.

Root Cause

https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/sol-cc/contracts/SolConnector.sol#L81

USDC implements blacklist to address. Blocked addresses are blocked from sending / receiving tokens.

The bridging process could take days for some chain to finalize.
During this time if the _withdrawData.receiver gets blacklisted, the usdc amount in the source chain gets lost since there isn't any way to return the funds if the call in the destination chain reverts due to the address getting blacklisted (to maybe comply with OFAC sanctions).

Internal pre-conditions

None

External pre-conditions

The receiver address gets blacklisted.

PoC

  • User calls transaction to bridge usdc.
  • Sometimes the transaction takes a few days to finalize.
  • In that time if the receiver address gets blacklisted then it wouldn't be possible for the address to receive the usdc which causes the transaction to revert.
  • Hence the usdc would be locked in the source chain or it could either block the bridge since the nonce wouldn't increment because the transaction would revert.

Mitigation

No response
@sherlock-admin3 sherlock-admin3 added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed and removed Will Fix The sponsor confirmed this issue will be fixed labels Nov 3, 2024
@sherlock-admin4 sherlock-admin4 changed the title Bouncy Butter Cat - USDC could get stuck if address is blacklisted or block bridge. Anirruth - USDC could get stuck if address is blacklisted or block bridge. Nov 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Sponsor Confirmed The sponsor acknowledged this issue is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin3