Open code423n4 opened 2 years ago
This is a completely fair point. However, this should be 0 severity. I think we will not be fixing this, if someone transfers tokens to the contract it will stay locked there anyway. This is the same as with ERC20 token transfers to the contract...
Agree with sponsor, while this check could help it is certainly non-critical and only protects for a very specific error on the part of the caller of transferFees
Downgrading to 0.
Handle
cmichel
Vulnerability details
The
TempusPool.transferFees
function allows therecipient
of the fees to be the pool contract itself. This leads to accounting erros as thetotalFees
have been reset to zero, but the fees are still in the pool.Recommended Mitigation Steps
Check
recipient != address(this)
.