Description

When blockAllTransfers is set to true in NameToken, the intention is for all transfers to be blocked. However, even with blockAllTransfers being set, users can still use the bridging functionality to transfer tokens to other chains to arbitrary addresses.

This allows circumvention of transfer restrictions, as a user can bridge their token to another chain and then bridge it back to a different address, effectively performing a transfer.

The bridge() function does not check the transfer-restriction state, creating an inconsistency in policy enforcement.

Impact

This issue neutralizes intended transfer-restriction policies and allows circumvention of restrictions set for regulatory or security reasons.

Recommendations

It is recommended to check the blockAllTransfers flag and revert if necessary in internal cases such as mint or burn functions where the from or to address is address(0).

Remediation

This issue has been acknowledged by D3, and a fix was implemented in commit a18a5e21↗.