search

sherlock-audit / 2023-02-blueberry-judging

12 stars 5 forks source link

Udsen - CONDUCT INPUT PARAMETER VALIDATION FOR `address(0)` #350

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

Udsen

false

CONDUCT INPUT PARAMETER VALIDATION FOR address(0)

Summary

The liquidate() function inside the BlueBerryBank.sol conducts multiple external and internal function calls using the address debtToken input parameter passed into it. But the input parameter is not checked for address(0).

Vulnerability Detail

If the debtToken happens to be address(0), this will lead to unexpected behaviour in the code and unexpected transaction reverts.

Impact

If the debtToken = address(0) it could lead to unneccesary gas wastage if the transaction is reverted inside external function call or could lead to unexpected code behaviour.

Code Snippet

    function liquidate(
        uint256 positionId,
        address debtToken,
        uint256 amountCall
    ) external override lock poke(debtToken) {
        if (amountCall == 0) revert ZERO_AMOUNT();
        if (!isLiquidatable(positionId)) revert NOT_LIQUIDATABLE(positionId);
     ...
 }

https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/BlueBerryBank.sol#L511-L517

Tool used

VS Code and Manual Review

Recommendation

It is recommended to perform the debtToken != address(0) check inside the liquidate() function as below.

    function liquidate(
        uint256 positionId,
        address debtToken,
        uint256 amountCall
    ) external override lock poke(debtToken) {
        if (amountCall == 0) revert ZERO_AMOUNT();
        if (!isLiquidatable(positionId)) revert NOT_LIQUIDATABLE(positionId);
        if (debtToken == address(0)) revert ZERO_ADDRESS();
     ...
 }