jeffywu
commented
3 years ago I'm not quite sure I understand the code links provided here. The two free collateral calls should not cause any loss of funds if provided with address(0). One is purely a view function.
It's true we don't check for address(0) in the constructor but I don't understand how any of these cases can result in a loss of funds.
Handle
ad3sh_
Vulnerability details
Impact
Due to lack of zero address validation funds can be lost in following case
ex - No checking of address(0) in constructor No checking of address(0) while using low-level call to transfer eth Proof of Concept https://github.com/code-423n4/2021-08-notional/blob/main/contracts/external/PauseRouter.sol#L29 https://github.com/code-423n4/2021-08-notional/blob/main/contracts/external/FreeCollateralExternal.sol#L20
address account should not be zero
https://github.com/code-423n4/2021-08-notional/blob/main/contracts/external/FreeCollateralExternal.sol#L51
Tools Used
manual review Recommended Mitigation Steps
add zero address validation