Function _setCompAddress() is used by admin to change the COMP token address. However, there is no zero-address validation on the parameter. This may accidentally set COMP token address to zero-address but it can be reset by the admin. Any interim transactions might hit exceptional behavior.
ghoul-sol
commented
3 years ago
Handle
0xRajeev
Vulnerability details
Impact
Function _setCompAddress() is used by admin to change the COMP token address. However, there is no zero-address validation on the parameter. This may accidentally set COMP token address to zero-address but it can be reset by the admin. Any interim transactions might hit exceptional behavior.
Proof of Concept
https://github.com/code-423n4/2021-04-basedloans/blob/5c8bb51a3fdc334ea0a68fd069be092123212020/code/contracts/Comptroller.sol#L1350-L1357
Tools Used
Manual Analysis
Recommended Mitigation Steps
Add zero-address check to _comp parameter of _setCompAddress().