Share can be minted to address(0) in TimeLockPool.sol#Deposit
Summary
Share can be minted to address(0) in TimeLockPool.sol#Deposit
Vulnerability Detail
When calling the the function deposit
function deposit(uint256 _amount, uint256 _duration, address _receiver) external override {
if (_amount == 0) {
revert ZeroAmountError();
}
The function does not verify if the _receiver address is address(0),
When the mint is called, the share that minted to address(0) is basically equal to burn the share.
_mint(_receiver, mintAmount);
Impact
Burning the share while deposit the token basically waste storage space and erode other user's share because address(0) is not supposed to get any reward anyway.
ctf_sec
medium
Share can be minted to address(0) in TimeLockPool.sol#Deposit
Summary
Share can be minted to address(0) in TimeLockPool.sol#Deposit
Vulnerability Detail
When calling the the function deposit
The function does not verify if the _receiver address is address(0),
When the mint is called, the share that minted to address(0) is basically equal to burn the share.
Impact
Burning the share while deposit the token basically waste storage space and erode other user's share because address(0) is not supposed to get any reward anyway.
Code Snippet
https://github.com/sherlock-audit/2022-10-merit-circle/blob/main/merit-liquidity-mining/contracts/TimeLockPool.sol#L85-L93
Tool used
Manual Review
Recommendation
We recommend the project check if the receiverAddress is address(0)