Missing address validation for RubiconFeeController.feeRecipient can lead to fees being misdirected or lost
Summary
There are no mechanisms to check if the provided address for feeRecipient is valid or not.
This issue addresses concerns the Rubicon team has as mentioned in the contest QnA as stated here
A potential concern and non-intended outcome is that if the admin sets invalid parameters, ...
Vulnerability Detail
The admin of the fee controller can provide an invalid address for feeRecipient in the initialize() and setFeeRecipient() functions. This value is used in the getFeeOutputs() function here.
Impact
The address for feeRecipient being invalid leads fee being lost or misdirected.
It is generally recommended to validate user inputs as they are prone to errors. Furthermore, it is recommended to check if the provided address is address(0)
DJINN
medium
Missing address validation for
RubiconFeeController.feeRecipient
can lead to fees being misdirected or lostSummary
There are no mechanisms to check if the provided address for
feeRecipient
is valid or not.This issue addresses concerns the Rubicon team has as mentioned in the contest QnA as stated here
A potential concern and non-intended outcome is that if the admin sets invalid parameters, ...
Vulnerability Detail
The admin of the fee controller can provide an invalid address for
feeRecipient
in theinitialize()
andsetFeeRecipient()
functions. This value is used in thegetFeeOutputs()
function here.Impact
feeRecipient
being invalid leads fee being lost or misdirected.Code Snippet
Tool used
Manual Review
Recommendation
It is generally recommended to validate user inputs as they are prone to errors. Furthermore, it is recommended to check if the provided address is
address(0)