Skip to content
This repository was archived by the owner on Aug 3, 2025. It is now read-only.
This repository was archived by the owner on Aug 3, 2025. It is now read-only.

Itchy Wintergreen Newt - USDC blacklist will permanently DOS the Auction contract affecting all users #1051

Open
Open
Itchy Wintergreen Newt - USDC blacklist will permanently DOS the Auction contract affecting all users#1051
@sherlock-admin4

Description

@sherlock-admin4
sherlock-admin4
opened on Jan 23, 2025

Itchy Wintergreen Newt

High

USDC blacklist will permanently DOS the Auction contract affecting all users

Summary

USDC's blacklist functionality will cause a permanent DOS of the Auction contract for all users, as any blacklisted address with an active bid will prevent _removeBid() from executing successfully since USDC transfers to blacklisted addresses will revert.

Root Cause

The protocol expects to use USDC as the couponToken in the auctions. Note that USDC has a blacklist. As users bid in the auction, it reaches a point where excess bids need to removed which is done by calling the internal function removeExcessBids() from the bid function. This removeExcessBids function calls _removeBid with the bidIndex of the bidder to be removed.

Now the issue is that In Auction.sol:L325 the decision to directly transfer USDC tokens back to bidders without handling potential blacklist failures is a mistake as USDC transfers to blacklisted addresses will revert, causing a permanent DOS of the contract.

function _removeBid(uint256 bidIndex) internal {
// ...
IERC20(buyCouponToken).safeTransfer(bidder, sellCouponAmount);

Internal Pre-conditions

  1. An auction must be active with USDC as the coupon token
  2. A bidder must have placed a valid bid in the auction
  3. The bidder's address must become blacklisted by USDC after placing their bid

External Pre-conditions

  1. USDC's compliance team blacklists the bidder's address

Attack Path

  1. Alice places a valid bid in the auction using USDC as coupon token
  2. Alice's address gets blacklisted by USDC's compliance team
  3. When another user tries to place a bid that would trigger removeExcessBids()
  4. The _removeBid() function attempts to refund USDC to Alice
  5. The USDC transfer reverts due to Alice being blacklisted
  6. The entire auction becomes permanently stuck as no new bids can be placed

Impact

The entire auction system becomes permanently unusable for all users. No new bids can be placed and the auction cannot proceed, effectively freezing user funds in the contract.

PoC

No response

Mitigation

Implement a pull payment pattern instead of push payments:
Example:

mapping(address => uint256) public pendingRefunds;

function _removeBid(uint256 bidIndex) internal {
    // ... existing code ...
    
    // Instead of transfer
    pendingRefunds[bidder] += sellCouponAmount;
}

function withdrawRefund() external {
    uint256 amount = pendingRefunds[msg.sender];
    pendingRefunds[msg.sender] = 0;
    IERC20(buyCouponToken).safeTransfer(msg.sender, amount);
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions