verifyfirst
commented
3 years ago In theory this is correct, however, solidity validates function parameters to be legitimate and in this instance, 0 or "0" is not a valid address.
Open code423n4 opened 3 years ago
verifyfirst
commented
3 years ago In theory this is correct, however, solidity validates function parameters to be legitimate and in this instance, 0 or "0" is not a valid address.
ghoul-sol
commented
3 years ago I'll keep the issue as it's technically correct.
Handle
cmichel
Vulnerability details
Vulnerability Details
The
Pool.removeLiquiditySinglefunction redeems liquidity tokens for underlying to the router contract in case of thetokenbeing the zero address. This works if the underlying token is actuallyWBNBbut if the pool token is different and the user accidentally inserted0as thetokenaddress, it tries to swap a zero-balance WBNB toBASEand the redeemed tokens are stuck.Recommended Mitigation Steps
If
token == 0add a check forpool.token == WBNBsuch that it is ensured that the pool's token is actuallyWBNB.