#41689 [SC-Insight] Blacklisting a Kodiak vault unintentionally whitelists a previously blacklisted token
Was this helpful?
Was this helpful?
Submitted on Mar 17th 2025 at 15:32:22 UTC by @peppef for
Report ID: #41689
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/contracts/Zapper.sol
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
In the Zapper.sol
contract the methods updateSwappableTokens()
and updateWhitelistedKodiakVault()
helps the blacklisting token and vault processes.
```solidity
However they both edit the state of the mapping _updateWhitelistedTokens[]
which can lead to a weird scenario where blacklisting a vault which involves a blacklisted token has the contrary effect to whitelist it again in _updateWhitelistedTokens[]
.
Suppose the following scenario:
A token named $BAD_TOKEN is blacklisted by the owner using the following code
This, through _updateWhitelistedTokens()
private function sets whitelistedTokens[bad_token_address] = false
At this point zapIn and zapOut methods are still usable on vaults involving $BAD_TOKEN since the onlyWhitelistedKodiakVaults()
modifier only checks for whitelisted vaults in the mapping whitelistedKodiakVaults[]
For this reason the owner proceeds to blacklist the first vault involving $BAD_TOKEN, for example wBERA/BAD_TOKEN
vault with
This function call sets whitelistedKodiakVaults[wBera_BadToken_vault] = false
but at the same time whitelists again bad_token_address inside whitelistedTokens[]
which was previously blacklisted due to the how updateWhitelistedKodiakVault()
is implemented
Additionally the owner needs some time to blacklist all the other vaults involving $BAD_TOKEN for example: HONEY/BAD_TOKEN, USDT/BAD_TOKEN, USDC/BAD_TOKEN and thus, in the meanwhile, those vaults are still being usable by users and every potential blacklisting call to updateSwappableTokens()
is useless due to next updateWhitelistedKodiakVault()
call.