No check for minting to the address(0)

[code423n4]

Lines of code

https://github.com/GenerationSoftware/pt-v5-twab-controller/blob/0145eeac23301ee5338c659422dd6d69234f5d50/src/TwabController.sol#L457

Vulnerability details

Impact

Loss of users' funds, due to minting to the zero address

Proof of Concepts

the mint function in the Twabcontroller.sol contract does not check for if the recipient address is address zerro. If user mistakingly calls the mint function without specifying the recipient, shares can be minted to address zero, which lead to loss of funds for the user.

function mint(address _to, uint96 _amount) external {
    _transferBalance(msg.sender, address(0), _to, _amount);
  }

Tools Used

Manual review

Recommended Mitigation Steps

Add checks that ensure that any minting to the address(0) reverts.

Assessed type

Token-Transfer

[c4-judge]

Picodes marked the issue as unsatisfactory: Overinflated severity