search

code-423n4 / 2021-09-wildcredit-findings

0 stars 0 forks source link

Lack of check for address(0) in `LendingPair.depositUniPosition` #112

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

GalloDaSballo

Vulnerability details

Impact

The function depositUniPosition is not checking if the deposit address is different from address(0) https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/LendingPair.sol#L103

Interestingly enough, only one depositor could make the mistake before the position is irrevocably lost and no-one else would be able to deposit for address(0)

Recommended Mitigation Steps

Add a check require(_account != address(0));

talegift commented 3 years ago

Checking this would increase gas costs for all users while only making it a bit safer for an absolute edge case of users who try to use etherscan directly and enter zero address into the accounting field for some reason.

I suggest lowering the severity to 0.

This doesn't sound like a good tradeoff.

ghoul-sol commented 2 years ago

best practice recommendation, non-critical