51451 sc low token freezing via whitelist restriction bypass
Submitted on Aug 2nd 2025 at 23:27:29 UTC by @technicalattri for Attackathon | Plume Network
Report ID: #51451
Report Type: Smart Contract
Report severity: Low
Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/arc/src/restrictions/WhitelistRestrictions.sol
Impacts:
Permanent freezing of funds
Description
The WhitelistRestrictions contract does not account for the zero address (address(0)) when transfersAllowed is set to false. As a result, minting and burning tokens becomes permanently blocked, even when user addresses are correctly whitelisted.
Impact: An attacker can exploit this vulnerability to permanently freeze core token functionality by bypassing whitelist restrictions on the zero address. Once transfer restrictions are enabled by the admin, any token operation involving the zero address (such as minting from address(0) or burning to address(0)) fails because the zero address is never whitelisted due to an intentional continue statement in batchAddToWhitelist(). Therefore, minting new tokens or burning existing ones becomes impossible, halting token supply adjustments and potentially rendering the token ecosystem economically unusable.
Recommendation
Update isTransferAllowed to handle mint and burn cases explicitly, instead of blindly requiring both from and to to be whitelisted:
function isTransferAllowed(address from, address to, uint256) external view override returns (bool) {
WhitelistStorage storage ws = _getWhitelistStorage();
if (ws.transfersAllowed) return true;
// Handle minting and burning
if (from == address(0)) return ws.isWhitelisted[to]; // Minting
if (to == address(0)) return ws.isWhitelisted[from]; // Burning
return ws.isWhitelisted[from] && ws.isWhitelisted[to];
}This ensures mint and burn operations depend only on the user being whitelisted, not address(0).
Proof of Concept
Admin enables transfer restrictions:
setTransfersAllowed(false);Was this helpful?