Malicious user can send protocol fees to address 0
Summary
Malicious user can send protocol fees to address 0. It's possible, because 1)protocol coordinator is created, then treasury 0 is provided, 2)updateCoordinatorTreasury doesn't check for 0 address.
rvierdiiev
medium
Malicious user can send protocol fees to address 0
Summary
Malicious user can send protocol fees to address 0. It's possible, because 1)protocol coordinator is created, then treasury 0 is provided, 2)updateCoordinatorTreasury doesn't check for 0 address.
Vulnerability Detail
Incentivizer.claimFeecan be called by anyone to send fees to protocol's treasury.This can be a poblem when fees are not 0 and treasury is 0. Protocol's treasury can be 0 for 2 reasons: 1.At the beginning, no treasury is provided for protocol. 2.Treasury update doesn't check for 0 address.
As result, malicious user can claim fees fro a protocol, right when treasury is 0.
Impact
Protocol losses fees.
Code Snippet
Provided above
Tool used
Manual Review
Recommendation
Check that treasury can't be 0.