search

code-423n4 / 2021-10-pooltogether-findings

0 stars 0 forks source link

verify address isn't address(0) missing #4

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

pants

Vulnerability details

PrizePool.depositTo doesn’t check address _to isn’t address(0). Also MockYieldSource.supplyTokenTo doesn’t check to isn’t address(0)

Tools Used

Manual code review

PierrickGT commented 3 years ago

PrizePool.depositTo does check for address zero: _depositTo is calling the _mint function that is then calling _controlledToken.controllerMint(_to, _amount);. In this function, we call the _mint function from Open Zeppelin ERC20 implementation contract that does check for address zero.

Same goes for MockYieldSource.supplyTokenTo that calls the _mint function from Open Zeppelin contract.

GalloDaSballo commented 3 years ago

Inheritance chain does check for address(0), finding is invalid