Open code423n4 opened 3 years ago
Fair point. We will add this check. However, I think this should be severity 0, this isn't a security issue. Also, we fixed it in https://github.com/tempus-finance/tempus-protocol/pull/360
agree with downgrading severity.
Handle
loop
Vulnerability details
TempusPool needs to be initialized with a valid and existing controller. When initializing a pool
address controller
is passed to the constructor of a pool implementation. Thisaddress
is then passed asaddress ctrl
to the TempusPool constructor where it is set to the immutableaddress controller
. If a pool accidentally gets initialized with the zero address passed to the constructor there is no way to change it and the pool needs to be reinitialized.Proof of Concept
https://github.com/code-423n4/2021-10-tempus/blob/main/contracts/TempusPool.sol#L66-L100
Recommended Mitigation Steps
Add something along the lines of
require(ctrl != address(0), "controller can not be zero
to avoid potential invalid pool initializations.