tempo icon indicating copy to clipboard operation
tempo copied to clipboard
Published 1 month ago verified publisher icon tempoxyz

Blacklisted users can extract value from the StablecoinExchange by operating entirely on internal balances

Open fgimenez opened this issue 1 month ago • 0 comments

Describe the bug

ref https://tempoxyz.slack.com/archives/C09PGSBNXFG/p1764913784505099

When decrement_balance_or_transfer_from() is called during order placement (line 438) or swaps (line 255), users with sufficient internal balance only have their accounting decremented via sub_balance() at line 197 - no TIP20 transfer occurs, therefore no blacklist check.

Steps to reproduce

N/A

Logs

Platform(s)

No response

Container Type

Not running in a container

What version/commit are you on?

da49fd8cb0aca41837e1e82249fed437d20e3a8d

If you've built from source, provide the full command you used

No response

Code of Conduct

  • [x] I agree to follow the Code of Conduct

fgimenez avatar Dec 08 '25 09:12 fgimenez