search

code-423n4 / 2021-10-tempus-findings

0 stars 0 forks source link

No zero address check for controller in TempusPool #6

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

loop

Vulnerability details

TempusPool needs to be initialized with a valid and existing controller. When initializing a pool address controller is passed to the constructor of a pool implementation. This address is then passed as address ctrl to the TempusPool constructor where it is set to the immutable address controller. If a pool accidentally gets initialized with the zero address passed to the constructor there is no way to change it and the pool needs to be reinitialized.

Proof of Concept

https://github.com/code-423n4/2021-10-tempus/blob/main/contracts/TempusPool.sol#L66-L100

Recommended Mitigation Steps

Add something along the lines of require(ctrl != address(0), "controller can not be zero to avoid potential invalid pool initializations.

mijovic commented 3 years ago

Fair point. We will add this check. However, I think this should be severity 0, this isn't a security issue. Also, we fixed it in https://github.com/tempus-finance/tempus-protocol/pull/360

0xean commented 2 years ago

agree with downgrading severity.