Function The transferFrom() function in the TokenImpl contract does not verify that the sender (i.e. the from address) is not blacklisted.
As such, it is possible for a user to allow an account to spend a certain allowance regardless of their blacklisting status.
At present the function transferFrom() uses the notBlacklisted(address) modifier twice, on the msg.sender and to addresses. The notBlacklisted(address) modifier should be used a third time against the from address.
- Sigma Prime Infinigold Finding 2
- Access Control
- High Severity
- Missed Blacklisting
- transferFrom() from Addr
- Apply notBlacklisted() from Addr
- Youtube Reference
- High Risk severity finding from Sigma Prime's Audit of InfiniGold