search

code-423n4 / 2021-09-wildcredit-findings

0 stars 0 forks source link

LPTokenMaster.initialize is not checking for addresses not being 0 #110

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

GalloDaSballo

Vulnerability details

Impact

Initializer in LpTokenMaster: https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/LPTokenMaster.sol#L33

Receives _underlying and _lendingController There are no checks for these addresses not being 0

Especially since the initializer can be called only once, it's best to have that check

Recommended Mitigation Steps

Add checks in initialize require(_underlying != address(0); require(_lendingController != address(0);

talegift commented 2 years ago

This contract cannot be reviewed in isolation.

LendingPair contracts are created in a single atomic transaction inside of the PairFactory which performs the initialization during the pair creation. It will always enter the right parameters so this check is not needed here.

ghoul-sol commented 2 years ago

per sponsor comment, invalid