ghost
commented
3 years ago sponsor acknowledge dispute severity 0 0 address should not be used as param. It is not used in our platform nevertheless we will remove ability in next version
Closed code423n4 closed 3 years ago
ghost
commented
3 years ago sponsor acknowledge dispute severity 0 0 address should not be used as param. It is not used in our platform nevertheless we will remove ability in next version
ghoul-sol
commented
3 years ago Duplicate of #38, marking as invalid
Handle
shw
Vulnerability details
Impact
The functions
timeLockERC20andtimeLockERC721lack a non-zero address check on the parameterrecipient. If this parameter is set toaddress(0)by accident, funds are locked in the vault, and even the owner could not withdraw them.Proof of Concept
If the
recipientis provided asaddress(0), no one could simply call the functionstimeUnlockERC20andtimeUnlockERC721to withdraw the fund since the requirement of themsg.senderbeing therecipient. Besides, in functionstransferERC20anddelegatedTransferERC20, therequirestatements (at lines 419 and 456) ensure the vault's balance to be greater thantimelockERC20Balances[token]after the withdraw. Thus, the locked funds are not withdrawable.Referenced code: Visor.sol#L419 Visor.sol#L456 Visor.sol#L583-L612 Visor.sol#L529-L554 Visor.sol#L632 Visor.sol#L569
Tools Used
None
Recommended Mitigation Steps
Add
require(recipient != address(0))in both functions.