search

code-423n4 / 2021-12-yetifinance-findings

0 stars 0 forks source link

Missing validation of address argument could indefinitely lock treasury #163

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

defsec

Vulnerability details

Impact

the teamWallet parameter are used for the onlyTeam modifier. In the state variable , proper check up should be done , other wise error in these state variable can lead to redeployment of contract. If the zero address is assigned to rebalanceManager parameter, that will fail all onlyTeam functions.

Proof of Concept

  1. Navigate to the following contract functions.

"https://github.com/code-423n4/2021-12-yetifinance/blob/1da782328ce4067f9654c3594a34014b0329130a/packages/contracts/contracts/YetiFinanceTreasury.sol#L29"

  1. Adding zero address into the teamWallet leads to failure of onlyTeam only functions.

Tools Used

Code Review

Recommended Mitigation Steps

Add proper zero address validation.

kingyetifinance commented 2 years ago

@LilYeti: Duplicate #115

kingyetifinance commented 2 years ago

115 is disputed to severity 0

alcueca commented 2 years ago

Duplicate of #251