search

sherlock-audit / 2023-06-dinari-judging

5 stars 4 forks source link

gkrastenov - Recipient address in OrderRequest is never validated #123

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

gkrastenov

medium

Recipient address in OrderRequest is never validated

Summary

Recipient address in OrderRequest is never validated and can open uncanceled orders forever.

Vulnerability Detail

If the recipient address is not validated, it can cause problems with filling or canceling the order. When the recipient address is equal to address(0) or is a blacklisted address, transferring payment tokens becomes impossible because stablecoins like USDC/USDT do not allow such transfers.

Impact

Orders can be requested but never will be fully filled or closed. Additionally, the money in the contract will become stuck.

Code Snippet

BuyOrderIssuer-214

// Return escrow
IERC20(orderRequest.paymentToken).safeTransfer(orderRequest.recipient, refund);

SellOrderProcessor-171

 // Transfer proceeds to recipient
if (proceeds > 0) {
     IERC20(paymentToken).safeTransfer(recipient, proceeds);
}

Tool used

Manual Review

Recommendation

Check for a valid recipient address before requesting an order

Duplicate of #57

gkrastenov commented 1 year ago

Escalate

I think this issue is valid duplicate of #57

sherlock-admin commented 1 year ago

Escalate

I think this issue is valid duplicate of #57

You've created a valid escalation for 10 USDC!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

ctf-sec commented 1 year ago

Agree, valid duplicate of #57

Oot2k commented 1 year ago

Agree with escalation

hrishibhat commented 1 year ago

Result: Medium Duplicate of #57

sherlock-admin2 commented 1 year ago

Escalations have been resolved successfully!

Escalation status: