search

code-423n4 / 2021-09-defiprotocol-findings

1 stars 0 forks source link

Missing input validation on token address and amount #161

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

0xRajeev

Vulnerability details

Impact

Missing input validation on token != zero-address and amount != 0 can accidentally result in revert (zero address) or wasted gas on zero amount transfers in both addBounty() and withdrawBounty().

Proof of Concept

https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Auction.sol#L126-L138

https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Auction.sol#L140-L151

Tools Used

Manual Analysis

Recommended Mitigation Steps

Add input validation for token != zero-address and amount != 0

frank-beard commented 2 years ago

not an exploit

GalloDaSballo commented 2 years ago

If the token had address zero, the call would fail on the safeTransferFrom, no need for this check, setting as invalid