You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Withdraw/Redeem functions can fail due to blocked USDT/USDC accounts
Summary
Withdraw and redeem functions in smart contracts can fail if they involve transferring USDT, USDC, or other centralized stablecoins from blocked or blacklisted accounts. Both Tether (USDT) and USD Coin (USDC) are issued by centralized entities with the authority to freeze or blacklist addresses. When an account is blacklisted, any attempts to transfer these tokens from the blacklisted address will be blocked, causing the transaction to fail.
This issue can significantly impact decentralized finance (DeFi) protocols, which rely on seamless token transfers for operations like withdrawals and redemptions. If a user's address or the contract itself gets blacklisted, users may be unable to withdraw their funds, leading to a loss of trust and potentially severe financial consequences.
Vulnerability Detail
pub fn deposit(ctx: Context, amount: u128) -> Result<()> {
let token_owner_account = &ctx.accounts.token_owner_account;
let token_vault = &ctx.accounts.token_vault;
let woopool = &mut ctx.accounts.woopool;
A potential way to fix this issue is to allow users to specify an alternative address for the transfer to go to. However, the contract must still validate that the withdrawal amount is correctly debited from the msg.sender's balance to prevent any unauthorized transfers. This ensures that users cannot steal other users' assets by specifying different addresses.
The text was updated successfully, but these errors were encountered:
Scrawny Cobalt Goldfish
Medium
Withdraw/Redeem functions can fail due to blocked USDT/USDC accounts
Summary
Withdraw and redeem functions in smart contracts can fail if they involve transferring USDT, USDC, or other centralized stablecoins from blocked or blacklisted accounts. Both Tether (USDT) and USD Coin (USDC) are issued by centralized entities with the authority to freeze or blacklist addresses. When an account is blacklisted, any attempts to transfer these tokens from the blacklisted address will be blocked, causing the transaction to fail.
This issue can significantly impact decentralized finance (DeFi) protocols, which rely on seamless token transfers for operations like withdrawals and redemptions. If a user's address or the contract itself gets blacklisted, users may be unable to withdraw their funds, leading to a loss of trust and potentially severe financial consequences.
Vulnerability Detail
pub fn deposit(ctx: Context, amount: u128) -> Result<()> {
let token_owner_account = &ctx.accounts.token_owner_account;
let token_vault = &ctx.accounts.token_vault;
let woopool = &mut ctx.accounts.woopool;
}
pub fn withdraw(ctx: Context, amount: u128) -> Result<()> {
let token_owner_account = &ctx.accounts.token_owner_account;
let token_vault = &ctx.accounts.token_vault;
let woopool = &mut ctx.accounts.woopool;
}
Impact
Withdraw/Redeem functions can fail due to blocked USDT/USDC accounts
Code Snippet
https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/admin/deposit_withdraw.rs#L38
Tool used
Manual Review
Recommendation
A potential way to fix this issue is to allow users to specify an alternative address for the transfer to go to. However, the contract must still validate that the withdrawal amount is correctly debited from the msg.sender's balance to prevent any unauthorized transfers. This ensures that users cannot steal other users' assets by specifying different addresses.
The text was updated successfully, but these errors were encountered: