search

code-423n4 / 2021-05-yield-findings

0 stars 0 forks source link

Add non-zero address check of recipients when transferring funds #66

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

shw

Vulnerability details

Impact

When calling safeTransfer and safeTransferETH, the recipient is not checked to be non-zero explicitly, leading to loss of funds if provided as address(0) accidentally.

Proof of Concept

Referenced code: Join.sol#L79 Join.sol#L89 Ladle.sol#L468 Ladle.sol#L545 Pool.sol#L166](https://github.com/code-423n4/2021-05-yield/blob/main/contracts/yieldspace/Pool.sol#L166) Pool.sol#L176 Pool.sol#L294 Pool.sol#L372-L373 Pool.sol#L417 Pool.sol#L502 Pool.sol#L577 Pool.sol#L655 PoolRouter.sol#L169

Recommended Mitigation Steps

Add non-zero checks in the above functions, e.g., require(to != address(0)).

alcueca commented 3 years ago

Duplicate with #42, I don't think this should be a contract check, but a frontend check.

dmvt commented 3 years ago

duplicate of #42