Missing zero address check on _requestLoan

[code423n4]

Lines of code

https://github.com/code-423n4/2022-04-abranft/blob/5cd4edc3298c05748e952f8a8c93e42f930a78c2/contracts/NFTPair.sol#L209 https://github.com/code-423n4/2022-04-abranft/blob/5cd4edc3298c05748e952f8a8c93e42f930a78c2/contracts/NFTPairWithOracle.sol#L229

Vulnerability details

Issue: No zero address check for to Consequences: Irrecoverable loss of the collateral NFT.

Proof of Concept

• The NFT will be transferred in, but loan.borrower will be set to zero address
• The true borrower will not be able to withdraw the NFT via removeCollateral to rectify the mistake (L251)
• No lender will be able to accept the borrow as the bentoBox share transfer of the lender's funds to loan.borrower will fail the zero-address check. (L305)

Mitigations

Add zero address check.

[cryptolyndon]

Duplicate of #91

[0xean]

Non critical. marking as dupe of the wardens QA report #137