Active Boosts

52796 sc low whitelist restriction in arctoken blocks all minting and burning

Submitted on Aug 13th 2025 at 08:54:33 UTC by @ZeroExRes for Attackathon | Plume Network

  • Report ID: #52796

  • Report Type: Smart Contract

  • Report severity: Low

  • Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/arc/src/restrictions/WhitelistRestrictions.sol

  • Impacts:

    • Contract fails to deliver promised returns, but doesn't lose value

Description

Brief/Intro

The WhitelistRestrictions module has a critical issue where enabling transfer restrictions (transfersAllowed = false) blocks all minting and burning operations, even for whitelisted addresses and role-protected administrative functions. This occurs because the module requires both sender AND recipient addresses to be whitelisted, but address(0) (used in mint/burn operations) cannot be whitelisted due to validation checks. This renders the whitelist feature completely unusable for transfer restrictions and can lead to inability to adjust tokenonomics.

Vulnerability Details

The core issue lies in the interaction below:

  1. WhitelistRestrictions.isTransferAllowed() Logic:

function isTransferAllowed(address from, address to, uint256 /*amount*/) external view override returns (bool) {
    WhitelistStorage storage ws = _getWhitelistStorage();
    
    if (ws.transfersAllowed) {
        return true; // Unrestricted transfers
    }
    
    // BUG: Requires BOTH addresses to be whitelisted
    return ws.isWhitelisted[from] && ws.isWhitelisted[to];
}

  1. Zero Address Cannot Be Whitelisted:

  1. ERC20 Mint/Burn Uses Zero Address: Openzeppelin implementation is

  • Minting: _update(address(0), recipient, amount) - from = address(0)

  • Burning: _update(sender, address(0), amount) - to = address(0)

  1. ArcToken Enforces Restrictions on these Operations:

1

Execution Flow Demonstrating the Bug — step

  1. Admin sets transfersAllowed = false to enable whitelist restrictions

2

Execution Flow Demonstrating the Bug — step

  1. Admin attempts to mint tokens to whitelisted user Alice

3

Execution Flow Demonstrating the Bug — step

  1. ArcToken.mint() calls _update(address(0), alice, amount)

4

Execution Flow Demonstrating the Bug — step

  1. WhitelistRestrictions.isTransferAllowed(address(0), alice, amount) is called

5

Execution Flow Demonstrating the Bug — step

  1. Returns isWhitelisted[address(0)] && isWhitelisted[alice] = false && true = false

6

Execution Flow Demonstrating the Bug — step

  1. Transaction reverts with TransferRestricted()

7

Execution Flow Demonstrating the Bug — step

  1. Same issue occurs for burning operations

Impact Details

All minting and burning operations become permanently blocked when whitelist is enabled without disabling the whitelist entirely. In essence, this vulnerability makes the whitelist restriction feature completely unusable for its intended purpose, forcing admin to choose between transfer restrictions OR functional minting/burning, but never both. This may result in further issues, for example, transfer would need to allowed in whitelist restrictions, at least temporarily for mint/burn, risking non-compliant transfer by the existing holders.

References

Mentioned above.

Proof of Concept

Add to ArcToken.t.sol

Previous50393 sc insight unused admin state variable increases deployment and storage costs Next52956 sc high state inconsistency in batched yield distribution leads to direct theft of user funds and protocol insolvency

Was this helpful?