The PassThroughWalletImpl.sol contract does not validate the input for the passThrough address, which could lead to accidental loss of funds if an invalid address is set.
Vulnerability Detail
The initializer function and setPassThrough function in the PassThroughWalletImpl.sol contract do not perform input validation on the passThrough address. If an invalid address is provided, the contract could forward tokens to an unreachable address, causing a loss of funds.
Impact
This vulnerability could lead to the accidental loss of funds if the pass-through address is set to an invalid or unreachable address.
Consider implementing input validation for the passThrough address to prevent the contract from forwarding tokens to an invalid or unreachable address. This could include checking for a non-zero address and potentially verifying the address's functionality (e.g., checking if it's a contract address or an externally owned account).
moneyversed
medium
No input validation for the passThrough address
Summary
The PassThroughWalletImpl.sol contract does not validate the input for the passThrough address, which could lead to accidental loss of funds if an invalid address is set.
Vulnerability Detail
The initializer function and setPassThrough function in the PassThroughWalletImpl.sol contract do not perform input validation on the passThrough address. If an invalid address is provided, the contract could forward tokens to an unreachable address, causing a loss of funds.
Impact
This vulnerability could lead to the accidental loss of funds if the pass-through address is set to an invalid or unreachable address.
Code Snippet
https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-pass-through-wallet/src/PassThroughWalletImpl.sol#L84
Tool used
Manual Review
Recommendation
Consider implementing input validation for the passThrough address to prevent the contract from forwarding tokens to an invalid or unreachable address. This could include checking for a non-zero address and potentially verifying the address's functionality (e.g., checking if it's a contract address or an externally owned account).