Closed code423n4 closed 1 year ago
https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/RewardsManager.sol#L96
RewardsManager.sol contract: ajnaToken_ input address isn't checked if it refers to a contract address.
all the functions that calls the ajnaToken address will fail/or redirect to a malicious address;hence the rewards will be locked/lost.
Instances: 1
File: 2023-05-ajna/ajna-core/src/RewardsManager.sol Line 96: if (ajnaToken_ == address(0)) revert DeployWithZeroAddress();
Manual Testing.
Check that ajnaToken_ address is a contract address, this function can be used to check:
function checkSize(address addr) public view returns(uint extSize) { assembly { extSize := extcodesize(addr) // returns 0 if EOA, >0 if smart contract } }
Invalid Validation
Picodes marked the issue as unsatisfactory: Overinflated severity
Lines of code
https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/RewardsManager.sol#L96
Vulnerability details
[H-01]
RewardsManager.sol contract: ajnaToken_ input address isn't checked if it refers to a contract address.
Vulnerability Details
Impact
all the functions that calls the ajnaToken address will fail/or redirect to a malicious address;hence the rewards will be locked/lost.
Proof of Concept
Instances: 1
Tools Used
Manual Testing.
Recommended Mitigation Steps
Check that ajnaToken_ address is a contract address, this function can be used to check:
Assessed type
Invalid Validation