lucas-manuel
commented
3 years ago Only called in LoanLib.liquidateCollateral:
ICollateralLocker(collateralLocker).pull(address(this), liquidationAmt);
Open code423n4 opened 3 years ago
lucas-manuel
commented
3 years ago Only called in LoanLib.liquidateCollateral:
ICollateralLocker(collateralLocker).pull(address(this), liquidationAmt);
Handle
0xRajeev
Vulnerability details
Impact
Input validation on address parameters checking for zero addresses is always recommended especially when they are used in token transfers. Zero-address check is missing on the dst parameter of the pull() function in CollateralLocker.sol.
Proof of Concept
https://github.com/maple-labs/maple-core/blob/355141befa89c7623150a83b7d56a5f5820819e9/contracts/CollateralLocker.sol#L30
Tools Used
Manual Analysis
Recommended Mitigation Steps
Perform zero address input validation on dst parameter.