lack of zero address validation for recipent in _transfer() of pool.sol, synth.sol

[code423n4]

Handle

JMukesh

Vulnerability details

Impact

Due to lack of zero address validation for recipient address funds can be lost

Proof of Concept

https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/Pool.sol#L130

Tools Used

manual review

Recommended Mitigation Steps

add require condition to check recipient address

[verifyfirst]

Purely user preference - don't send to a zero address and funds won't be lost

[ghoul-sol]

Burning by sending to address(0) is a valid use case.