[VEN-2240]: Certik audit fixes on token bridge

contracts/Bridge/token/TokenController.sol

@@ -60,6 +60,10 @@ contract TokenController is Ownable, Pausable {
      * @notice This error is used to indicate that minting is not allowed for the specified addresses.
      */
     error MintNotAllowed(address from, address to);
+    /**
+     * @notice This error is used to indicate that transfers are not allowed for the to_ address.
+     */
+    error TransferNotAllowed(address to);
     /**
      * @notice This error is used to indicate that sender is not allowed to perform this action.
      */

contracts/Bridge/token/XVS.sol

@@ -44,4 +44,17 @@ contract XVS is ERC20, TokenController {
         _burn(account_, amount_);
         _increaseMintLimit(msg.sender, amount_);
     }
+
+    /**
+     * @notice Moves `amount` of tokens from `from` to `to`.
+     * @param from_ Address of account from which tokens are to be transferred.
+     * @param to_ Address of the account to which tokens are to be transferred.
+     * @param amount_ The amount of tokens to be transferred.
+     */
+    function _transfer(address from_, address to_, uint256 amount_) internal override {
+        if (_blacklist[to_]) {
+            revert TransferNotAllowed(to_);
+        }
+        super._transfer(from_, to_, amount_);
+    }
 }

test/proxyOFT.ts

@@ -508,6 +508,35 @@ describe("Proxy OFTV2: ", function () {
     accessControlManager.isAllowedToCall.returns(true);
   });
 
+  it("Reverts transfer of remote token to blacklist address", async function () {
+    const amount = ethers.utils.parseEther("10", 18);
+    await localToken.connect(acc2).faucet(amount);
+    await localToken.connect(acc2).approve(localOFT.address, amount);
+
+    const acc3AddressBytes32 = ethers.utils.defaultAbiCoder.encode(["address"], [acc3.address]);
+    const nativeFee = (
+      await localOFT.estimateSendFee(remoteChainId, acc3AddressBytes32, amount, false, defaultAdapterParams)
+    ).nativeFee;
+
+    await expect(
+      localOFT
+        .connect(acc2)
+        .sendFrom(
+          acc2.address,
+          remoteChainId,
+          acc3AddressBytes32,
+          amount,
+          [acc2.address, ethers.constants.AddressZero, defaultAdapterParams],
+          { value: nativeFee },
+        ),
+    ).to.emit(remoteOFT, "ReceiveFromChain");
+    await remoteToken.updateBlacklist(acc3.address, true);
+    await expect(remoteToken.connect(acc2).transfer(acc3.address, amount)).to.be.revertedWithCustomError(
+      remoteToken,
+      "TransferNotAllowed",
+    );
+  });
+
   it("Reverts if try to set cap less than already minted tokens", async function () {
     const initialAmount = ethers.utils.parseEther("20", 18);
     await localToken.connect(acc2).faucet(initialAmount);