search

code-423n4 / 2022-10-juicebox-findings

2 stars 0 forks source link

Lack of valid address check for new delegate #208

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/jbx-protocol/juice-nft-rewards/blob/f9893b1497098241dd3a664956d8016ff0d0efd0/contracts/JB721TieredGovernance.sol#L211

Vulnerability details

Impact

Detailed description of the impact of this finding. The function _delegateTier alllows one to change to a new delegate for a tier. However, there is no zero address check for the new delegate or validity check for the address (input error).

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. https://github.com/jbx-protocol/juice-nft-rewards/blob/f9893b1497098241dd3a664956d8016ff0d0efd0/contracts/JB721TieredGovernance.sol#L211

Tools Used

Manual

Recommended Mitigation Steps

Introduce a zero address check, and in the long run, one needs to introduce a two-step process to transfer delegate, the owner proposes the new delegate, and the new delegate needs to accept it via a function to complete the assignment of the new delegate for a tier.

drgorillamd commented 1 year ago

Duplicate #228

c4-judge commented 1 year ago

Picodes marked the issue as not a duplicate

c4-judge commented 1 year ago

Duplicate of https://github.com/code-423n4/2022-10-juicebox-findings/issues/9