Missing input validation on function parameter for zero address in StakeLocker.sol

[code423n4]

Handle

0xRajeev

Vulnerability details

Impact

Input validation on address parameters checking for zero addresses is always recommended especially when they are used in token transfers. Zero-address check is missing on the dst parameter of the pull() function in StakeLocker.sol.

Proof of Concept

https://github.com/maple-labs/maple-core/blob/355141befa89c7623150a83b7d56a5f5820819e9/contracts/StakeLocker.sol#L131

Tools Used

Manual Analysis

Recommended Mitigation Steps

Perform zero address input validation on dst parameter.

[lucas-manuel]

Won't address since it is only called in PoolLib.handleDefault: IStakeLocker(stakeLocker).pull(address(this), bPool.balanceOf(stakeLocker));