Closed code423n4 closed 2 years ago
0xRajeev
Missing input validation on token != zero-address and amount != 0 can accidentally result in revert (zero address) or wasted gas on zero amount transfers in both addBounty() and withdrawBounty().
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Auction.sol#L126-L138
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Auction.sol#L140-L151
Manual Analysis
Add input validation for token != zero-address and amount != 0
not an exploit
If the token had address zero, the call would fail on the safeTransferFrom, no need for this check, setting as invalid
Handle
0xRajeev
Vulnerability details
Impact
Missing input validation on token != zero-address and amount != 0 can accidentally result in revert (zero address) or wasted gas on zero amount transfers in both addBounty() and withdrawBounty().
Proof of Concept
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Auction.sol#L126-L138
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Auction.sol#L140-L151
Tools Used
Manual Analysis
Recommended Mitigation Steps
Add input validation for token != zero-address and amount != 0