Boxy Rouge Eel
High
Potential Denial of Service (DoS) in matchOfferV3 Function via Blacklisted Addresses in DebitaV3Aggregator.sol
The matchOfferV3 function in DebitaV3Aggregator.sol line 609 is vulnerable to a Denial of Service (DoS) attack if malicious borrowers or lenders use blacklisted addresses as participants. If any address involved in the transaction (e.g., borrower, lender, or associated collateral/token addresses) is blacklisted by the underlying token or NFT contracts, the function can revert when attempting to transfer assets. This halts the transaction and potentially disrupts the protocol's operation.
No response
No response
No response
No response
Repeated attempts to process offers involving blacklisted addresses could disrupt the protocol and lead to operational delays.
- A malicious actor submits an offer using a blacklisted address as either the borrower or lender.
- The matchOfferV3 function is called to match the offer.
- When the function attempts to transfer ERC20 tokens or NFTs to or from the blacklisted address, the safeTransfer or transferFrom operation reverts due to blacklist restrictions imposed by the token/NFT contract.
- The function reverts, causing the offer matching process to fail and potentially locking up any collateral or funds already moved into the contract.
Use simulation or try-catch to verify that asset transfers can occur without reverts before executing the transaction