Closed code423n4 closed 2 years ago
This contract cannot be reviewed in isolation.
LendingPair
contracts are created in a single atomic transaction inside of the PairFactory
which performs the initialization during the pair creation. It will always enter the right parameters so this check is not needed here.
per sponsor comment, invalid
Handle
GalloDaSballo
Vulnerability details
Impact
Initializer in LpTokenMaster: https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/LPTokenMaster.sol#L33
Receives
_underlying
and_lendingController
There are no checks for these addresses not being 0Especially since the initializer can be called only once, it's best to have that check
Recommended Mitigation Steps
Add checks in
initialize
require(_underlying != address(0);
require(_lendingController != address(0);