search

code-423n4 / 2023-03-neotokyo-findings

4 stars 0 forks source link

BYTES2.getReward: no check for input #458

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-03-neotokyo/blob/main/contracts/staking/BYTES2.sol#L114-L129

Vulnerability details

Impact

the function getReward should validate that _to is not an empty address (0x0) to prevent accidental loss of BYTES.

Impact: mint reward BYTES to address(0) will be lost

Proof of Concept

https://github.com/code-423n4/2023-03-neotokyo/blob/main/contracts/staking/BYTES2.sol#L114-L129

    function getReward (
        address _to
    ) external {
        (
            uint256 reward,
            uint256 daoCommision
        ) = IStaker(STAKER).claimReward(_to);

        // Mint both reward BYTES and the DAO tax to targeted recipients.
        if (reward > 0) {
            _mint(_to, reward);
        }
        if (daoCommision > 0) {
            _mint(TREASURY, daoCommision);
        }
    }

Tools Used

Manual review

Recommended Mitigation Steps

Consider implementing the proposed validation: require _to != address(0)

c4-judge commented 1 year ago

hansfriese marked the issue as unsatisfactory: Invalid

hansfriese commented 1 year ago

to means _recipient in claimReward()