The liquidate() function inside the BlueBerryBank.sol conducts multiple external and internal function calls using the address debtToken input parameter passed into it. But the input parameter is not checked for address(0).
Vulnerability Detail
If the debtToken happens to be address(0), this will lead to unexpected behaviour in the code and unexpected transaction reverts.
Impact
If the debtToken = address(0) it could lead to unneccesary gas wastage if the transaction is reverted inside external function call or could lead to unexpected code behaviour.
Code Snippet
function liquidate(
uint256 positionId,
address debtToken,
uint256 amountCall
) external override lock poke(debtToken) {
if (amountCall == 0) revert ZERO_AMOUNT();
if (!isLiquidatable(positionId)) revert NOT_LIQUIDATABLE(positionId);
...
}
Udsen
false
CONDUCT INPUT PARAMETER VALIDATION FOR
address(0)
Summary
The
liquidate()
function inside theBlueBerryBank.sol
conducts multiple external and internal function calls using theaddress debtToken
input parameter passed into it. But the input parameter is not checked foraddress(0)
.Vulnerability Detail
If the debtToken happens to be address(0), this will lead to unexpected behaviour in the code and unexpected transaction reverts.
Impact
If the debtToken = address(0) it could lead to unneccesary gas wastage if the transaction is reverted inside external function call or could lead to unexpected code behaviour.
Code Snippet
https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/BlueBerryBank.sol#L511-L517
Tool used
VS Code and Manual Review
Recommendation
It is recommended to perform the debtToken != address(0) check inside the
liquidate()
function as below.