Function transfer lacks address validation

[hats-bug-reporter[bot]]

Github username: @JJtheAndroid Twitter username: -- Submission hash (on-chain): 0x858dcb92a745cd5c7065a0776763294fec814e754142d458ac7d207ca68bcb2c Severity: minor

Description: Description

Function transfer lacks address validation

Attack Scenario

The function transfer shown below, allows a user to transfer lp tokens from his/her account to another address.

let events = self.psp22.transfer(self.env().caller(), to, value)?;

https://github.com/hats-finance/AlephZeroAMM-0x0d88a9ece90994ecb3ba704730819d71c139f60f/blob/b097173adc9966bcbed72c6a4f1b50fcc52fe0ef/amm/contracts/pair/lib.rs#L584

https://github.com/Cardinal-Cryptography/PSP22/blob/f05e31809aaae77782b21bd2d3265b398cf1e7a5/data.rs#L71-L100

However, the function lack proper validation checks to make sure that these tokens are not sent to a 0 address or to a default address. In the Aleph Zero docs, it is stated that it is important to have these checks as "use of these addresses on the production network can result in lost gas fees and unretrievable tokens and AZERO if accidentally used within that environment".

https://docs.alephzero.org/aleph-zero/security-course-by-kudelski-security/lesson-6-address-validation#setup

[deuszx]

On Substrate, due to its choice of cryptography, ZERO_ADDRESS cannot be used the same way it's on Ethereum since the private kay for 0...000 is well-known (meaning anyone can withdraw tokens sent to it). There's infinite number of "addresses for which there is no private key" so it's impossible to check for all of them.

[deuszx]

Thank you for participation. After carefully reviewing the submission we've concluded that this issue is INVALID.

We hope you participate in the future audits of ink!.