search

sherlock-audit / 2023-07-blueberry-judging

2 stars 1 forks source link

fides - Zero Address Validation implementation is incorrect. #124

Closed sherlock-admin2 closed 1 year ago

sherlock-admin2 commented 1 year ago

fides

medium

Zero Address Validation implementation is incorrect.

Summary

In function getPrice, if(token == address(0)) then token = token_ bypasses the zero address validation in the function.

Vulnerability Detail

In abstract contract ChainlinkAdapterOracle.sol, the zero address validation check if (token == address(0)) token = token_;(line 105) is incorrect because if the token address is zero address, it will consider token = token_ which just bypasses the check.

Impact

_token address might be zero and caller won't recieve any price value from the chainlink oracle.

Code Snippet

https://github.com/sherlock-audit/2023-07-blueberry/blob/main/blueberry-core/contracts/oracle/ChainlinkAdapterOracle.sol#L105

Tool used

Manual Review

Recommendation

The mitigation steps are as follows:

105     - if (token == address(0)) token = token_;
106     + if (token == address(0)) revert Errors.ZERO_ADDRESS();;
sherlock-admin2 commented 1 year ago

2 comment(s) were left on this issue during the judging contest.

0xyPhilic commented:

invalid because the check if token == address(0) is done to check if the token used is ETH

Kral01 commented:

Invalid