Missing input validation on function parameter for zero address in FundingLocker.sol

[code423n4]

Handle

0xRajeev

Vulnerability details

Impact

Input validation on address parameters checking for zero addresses is always recommended especially when they are used in token transfers. Zero-address check is missing on the dst parameter of the pull() function in FundingLocker.sol.

Proof of Concept

https://github.com/maple-labs/maple-core/blob/355141befa89c7623150a83b7d56a5f5820819e9/contracts/FundingLocker.sol#L30

Tools Used

Manual Analysis

Recommended Mitigation Steps

Perform zero address input validation on dst parameter.

[lucas-manuel]

Only called though contracts