search

code-423n4 / 2023-06-lukso-findings

3 stars 1 forks source link

Zero Address Exclusion Check in 'transfer' Function Enhances Security #2

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-06-lukso/blob/bd49f57c32a522563fc42feeee23c83c8b373405/contracts/LSP7DigitalAsset/LSP7DigitalAssetCore.sol#L124-L149

Vulnerability details

Title:

Zero Address Exclusion Check in transfer Function Enhances Security

Summary

The transfer function in the smart contract was modified to include an additional check that prevents the transfer of tokens to or from the zero address. This update strengthens the security of the token transfer functionality by explicitly disallowing transfers involving the zero address.

Vulnerability Details

The modified transfer function introduces a check to verify that neither the from nor the to address is the zero address. This prevents the transfer of tokens to or from an invalid address, mitigating the risk of unintended consequences or potential loss of tokens.

Impact

The inclusion of the zero address exclusion check in the transfer function significantly enhances the security of the system. By disallowing transfers involving the zero address, the vulnerability of losing tokens or facing disruptions due to errors or malicious actions is reduced.

Proof of Concept

The following code snippet demonstrates the implementation of the zero address exclusion check in the transfer function:

function transfer(
    address from,
    address to,
    uint256 amount,
    bool allowNonLSP1Recipient,
    bytes memory data
) public virtual {
    if (from == to) revert LSP7CannotSendToSelf();
    if (from == address(0) || to == address(0)) {
        revert LSP7CannotSendWithAddressZero();
    }

    // Rest of the function logic
    ...
}

By including the check from == address(0) || to == address(0), the modified code ensures that neither the from nor the to address can be the zero address. If either of the addresses is the zero address, it triggers the LSP7CannotSendWithAddressZero() revert, preventing the transfer from occurring.

This improved code mitigates the risk of transferring tokens to or from an invalid address, bolstering the security of the token transfer functionality in the smart contract.

https://github.com/code-423n4/2023-06-lukso/blob/bd49f57c32a522563fc42feeee23c83c8b373405/contracts/LSP7DigitalAsset/LSP7DigitalAssetCore.sol#L124-L149

Tools Used

No specific tools were mentioned or utilized in the modification process.

Recommended Mitigation Steps

To further enhance the security of the smart contract, the following steps are recommended:

  1. Implement input validation checks for all user-supplied addresses to ensure they are not the zero address.
  2. Consider utilizing standardized address validation functions or libraries to minimize the risk of human error.

Assessed type

Token-Transfer

c4-pre-sort commented 1 year ago

minhquanym marked the issue as low quality report

minhquanym commented 1 year ago

Zero address checks are performed in _transfer()

c4-pre-sort commented 1 year ago

minhquanym marked the issue as primary issue

c4-judge commented 1 year ago

trust1995 marked the issue as unsatisfactory: Invalid