The _setCompAddress() function in the Comptroller contract was missing validation to prevent the administrator from setting the comp address to the zero address. Any contracts that use the comp address may face adverse effects if the address is set to the zero address. While an administrator could set the comp address to the zero address by accident or on purpose, this was considered unlikely and as such the risk is considered negligible.
Handle
toastedsteaksandwich
Vulnerability details
Impact
The _setCompAddress() function in the Comptroller contract was missing validation to prevent the administrator from setting the comp address to the zero address. Any contracts that use the comp address may face adverse effects if the address is set to the zero address. While an administrator could set the comp address to the zero address by accident or on purpose, this was considered unlikely and as such the risk is considered negligible.
Impact line
https://github.com/code-423n4/2021-04-basedloans/blob/main/code/contracts/Comptroller.sol#L1354
Recommended Mitigation Steps
Validate that the passed in _comp address is not the zero address by adding a requirement, such as
require(_comp != address(0))
.