search

code-423n4 / 2021-04-basedloans-findings

0 stars 1 forks source link

Lack of a non-zero address check in the function `doTransferOut` can cause loss of funds. #40

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

shw

Vulnerability details

Impact

The doTransferOut functions in both CErc20 and CEther contracts do not check whether the recipient (address payable to) is non-zero, which could cause loss of funds if funds are accidentally sent to zero address.

Proof of Concept

Referenced code: CEther.sol#L145-L148 CErc20.sol#L180-L199

Tools Used

None

Recommended Mitigation Steps

Add checks require(to != address(0)) at the beginning of the doTransferOut functions.

ghoul-sol commented 3 years ago

Duplicate #16

ghoul-sol commented 3 years ago

Recommended fix has been implemented.

cemozerr commented 3 years ago

Closing as this is a duplicate.