search

code-423n4 / 2021-12-yetifinance-findings

0 stars 0 forks source link

CollSurplusPool doesn't verify that the passed `_whitelistAddress` is an actual contract addres #230

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

Ruhum

Vulnerability details

Impact

All the other passed variables are checked. Only _whitelistAddress is ignored. This allows passing a zero function which would break the functionality.

Proof of Concept

https://github.com/code-423n4/2021-12-yetifinance/blob/main/packages/contracts/contracts/CollSurplusPool.sol#L51-L54

Tools Used

none

Recommended Mitigation Steps

add checkContract(_whitelistAddress)

kingyetifinance commented 2 years ago

@LilYeti: This is quite niche risk during deployment but is an issue nonetheless.

0xtruco commented 2 years ago

resolved