search

code-423n4 / 2022-01-livepeer-findings

0 stars 0 forks source link

Prevent accidentally burning tokens #111

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

Dravee

Vulnerability details

Impact

Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.

Proof of Concept

Places where I couldn't find a zero address check (or where the destination isn't a zero-checked address):

arbitrum-lpt-bridge\contracts\L1\gateway\L1LPTGateway.sol:100:            TokenLike(_l1Token).transferFrom(from, l1LPTEscrow, _amount);
arbitrum-lpt-bridge\contracts\L1\gateway\L1LPTGateway.sol:150:            TokenLike(l1Token).transferFrom(l1LPTEscrow, to, amount);
arbitrum-lpt-bridge\contracts\L1\gateway\L1LPTGateway.sol:153:                TokenLike(l1Token).transferFrom(l1LPTEscrow, to, escrowBalance);
protocol\contracts\token\BridgeMinter.sol:109:        token.transfer(l1MigratorAddr, balance);

Tools Used

VS Code

Recommended Mitigation Steps

Add a check to prevent accidentally burning tokens

yondonfu commented 2 years ago

Planning on having the caller be responsible for passing the right args.

0xleastwood commented 2 years ago

I think this could be made non-critical. Users' funds are at their own risk.