SwapHandler.swapForTau should ensure Controller(controller).addressMapper(Constants.FEE_SPLITTER) != 0 first.
Summary
SwapHandler.swapForTau validates swap adapter address. But it doesn’t validate Controller(controller).addressMapper(Constants.FEE_SPLITTER). The protocol fees could be sent to address(0).
GimelSec
medium
SwapHandler.swapForTau
should ensureController(controller).addressMapper(Constants.FEE_SPLITTER) != 0
first.Summary
SwapHandler.swapForTau
validates swap adapter address. But it doesn’t validateController(controller).addressMapper(Constants.FEE_SPLITTER)
. The protocol fees could be sent to address(0).Vulnerability Detail
SwapHandler.swapForTau
validates swap adapter address at the beginning. But it doesn’t validate the FeeSplitter address. it could send the protocol fees to the address(0). https://github.com/sherlock-audit/2023-03-taurus/blob/main/taurus-contracts/contracts/Vault/SwapHandler.sol#L94 https://github.com/sherlock-audit/2023-03-taurus/blob/main/taurus-contracts/contracts/Vault/SwapHandler.sol#L64Impact
The protocol fees could be sent to address(0).
Code Snippet
https://github.com/sherlock-audit/2023-03-taurus/blob/main/taurus-contracts/contracts/Vault/SwapHandler.sol#L94 https://github.com/sherlock-audit/2023-03-taurus/blob/main/taurus-contracts/contracts/Vault/SwapHandler.sol#L64
Tool used
Manual Review
Recommendation
Add check in
SwapHandler.swapForTau
to ensureController(controller).addressMapper(Constants.FEE_SPLITTER) != 0