Cheerful Flaxen Poodle - blacklisted #1045
Description
Cheerful Flaxen Poodle
High
blacklisted
Summary
USDC Blacklist Breaks Auction Settlement and Claims
Title
Critical Settlement Failure Due to USDC Blacklist in Auction Settlement and Claims
Severity
HIGH - Complete loss of funds and broken settlement mechanism
Description
The auction's settlement and claim processes can be permanently disrupted if the beneficiary address or winning bidders are USDC blacklisted, leading to locked funds and failed settlements.
The vulnerability exists in two critical settlement functions:
Auction Settlement:
function endAuction() external onlyPool {
// ... state checks
if (state == State.SUCCEEDED) {
// Transfer all collected USDC to beneficiary
IERC20(buyCouponToken).safeTransfer(beneficiary, IERC20(buyCouponToken).balanceOf(address(this)));
}
as you can see this function directly transfers winner the winning amount if the bidder gets blacklisted after bidding this will cause a revert and failed auctions
Root Cause
Internal Pre-conditions
No response
External Pre-conditions
No response
Attack Path
No response
Impact
Unable to process auctions
PoC
No response
Mitigation
Separate transfer