`transferFees` may not be the contract itself

[code423n4]

Handle

cmichel

Vulnerability details

The TempusPool.transferFees function allows the recipient of the fees to be the pool contract itself. This leads to accounting erros as the totalFees have been reset to zero, but the fees are still in the pool.

Recommended Mitigation Steps

Check recipient != address(this).

[mijovic]

This is a completely fair point. However, this should be 0 severity. I think we will not be fixing this, if someone transfers tokens to the contract it will stay locked there anyway. This is the same as with ERC20 token transfers to the contract...

[0xean]

Agree with sponsor, while this check could help it is certainly non-critical and only protects for a very specific error on the part of the caller of transferFees Downgrading to 0.