PierrickGT
commented
3 years ago It was indeed a problem when we still had the transferFunds function but now that we can only call the swapYieldSource one to change of yield source and move funds, this function will be reverted with the error Transaction reverted: function call to a non-contract account when calling _newYieldSource.depositToken() if address zero is passed as param.
Handle
JMukesh
Vulnerability details
Impact
Due to lack of zero address validation in _requireDifferentYieldSource(), it bypass the require condition when address(0) is entered
Proof of Concept
https://github.com/pooltogether/swappable-yield-source/blob/89cf66a3e3f8df24a082e1cd0a0e80d08953049c/contracts/SwappableYieldSource.sol#L247
Tools Used
manual review
Recommended Mitigation Steps
add condition to check zero address validation