search

code-423n4 / 2021-04-vader-findings

1 stars 0 forks source link

Missing zero-address check for recipient address in critical _transfer() function of Synth.sol #242

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

0xRajeev

Vulnerability details

Impact

ERC20 token implementations typically include zero-address checks on both sender and recipient addresses of transfer functions. For reference, see the most popular OpenZeppelin ERC20 implementation: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/3ba2a1354f8f830d5a0e711537efdbdd8bcb109e/contracts/token/ERC20/ERC20.sol#L211-L213

The _transfer() function of Synth.sol has the zero-address check for sender (which is applicable only for transferFrom because transfer and transferTo cannot have msg.sender or tx.origin as zero-addresses) but is missing the same for recipient address. Tokens can get burned by mistake and affect protocol dynamics and user funds.

Proof of Concept

https://github.com/code-423n4/2021-04-vader/blob/3041f20c920821b89d01f652867d5207d18c8703/vader-protocol/contracts/Synth.sol#L78-L84

Tools Used

Manual Analysis

Recommended Mitigation Steps

Add zero-address check for recipient address as well.

strictly-scarce commented 3 years ago

https://github.com/code-423n4/2021-04-vader-findings/issues/239

dmvt commented 3 years ago

duplicate of #262