DJINN - Missing address validation for `RubiconFeeController.feeRecipient` can lead to fees being misdirected or lost

[sherlock-admin2]

DJINN

medium

Missing address validation for RubiconFeeController.feeRecipient can lead to fees being misdirected or lost

Summary

There are no mechanisms to check if the provided address for feeRecipient is valid or not.

This issue addresses concerns the Rubicon team has as mentioned in the contest QnA as stated here

A potential concern and non-intended outcome is that if the admin sets invalid parameters, ...

Vulnerability Detail

The admin of the fee controller can provide an invalid address for feeRecipient in the initialize() and setFeeRecipient() functions. This value is used in the getFeeOutputs() function here.

Impact

• The address for feeRecipient being invalid leads fee being lost or misdirected.

Code Snippet

• src/fee-controllers/RubiconFeeController.sol#L45
• src/fee-controllers/RubiconFeeController.sol#L139

Tool used

Manual Review

Recommendation

It is generally recommended to validate user inputs as they are prone to errors. Furthermore, it is recommended to check if the provided address is address(0)

[sherlock-admin]

1 comment(s) were left on this issue during the judging contest.

0xAadi commented:

Invalid: OOS