`_update` does not properly check for blacklisted users

Summary

DecentralizedIndex::_update has a mechanic allowing users to be blacklisted, and as any other blacklistable token it block transfers to any blacklisted addresses. However it allows from any that are, meaning that when users get blacklisted they can just transfer them out.

https://github.com/sherlock-audit/2025-01-peapods-finance/blob/main/contracts/contracts/DecentralizedIndex.sol#L160

    function _update(address _from, address _to, uint256 _amount) internal override {
        require(!_blacklist[_to], "BK");

Root Cause

_update not checking for if from is blacklisted

https://github.com/sherlock-audit/2025-01-peapods-finance/blob/main/contracts/contracts/DecentralizedIndex.sol#L160

    function _update(address _from, address _to, uint256 _amount) internal override {
        require(!_blacklist[_to], "BK");

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

User gets blacklisted
He transfers his funds to another address of his

Impact

Blacklist won't work as any blacklisted user can just transfer his funds to another address.

PoC

No response

Mitigation

Make sure if the sender is blacklisted the function reverts

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

046.md

046.md

`_update` does not properly check for blacklisted users

Summary

Root Cause

Internal Pre-conditions

External Pre-conditions

Attack Path

Impact

PoC

Mitigation

Files

046.md

Latest commit

History

046.md

File metadata and controls

_update does not properly check for blacklisted users

Summary

Root Cause

Internal Pre-conditions

External Pre-conditions

Attack Path

Impact

PoC

Mitigation

`_update` does not properly check for blacklisted users