search

code-423n4 / 2021-07-spartan-findings

0 stars 0 forks source link

Pool.constructor(address,address) does not check for zero address #204

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

heiho1

Vulnerability details

Impact

Pool.constructor(address,address) lines 44 and 45 accept possibly zero address for base/token

Proof of Concept

https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/Pool.sol#L44

https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/Pool.sol#L45

Tools Used

Slither

Recommended Mitigation Steps

If base/token is to be treated as zero address, it should be positively checked. If not then it should be negatively checked.

verifyfirst commented 3 years ago

Checks are done in the poolFactory

verifyfirst commented 3 years ago

This is a duplicate of #147

ghoul-sol commented 3 years ago

Duplicate of #147 so low risk