AmirX:_verifyDefiSwap() does not check if the value of the safe is address(0) in spit of the readme
Summary
AmirX:_verifyDefiSwap() does not check if defi.safe is address(0), which means that in AmirX:_buyBack() remaining POL/token balances may be sent to address(0), breaking the readme:
However is the value for a safe is not passed in tokens should not be able to be sent into space or the zero address.
Root Cause
In AmirX:264, defi.safe is not check for address(0).
Internal pre-conditions
None.
External pre-conditions
None.
Attack Path
Swapper calls AmirX:swap() with a feeToken other than Telcoin and address(0) and a defi.safe of address(0), sending tokens to address(0).
Impact
The tokens are sent to address(0) instead of the safe contrarily to the readme.
PoC
if (defi.feeToken != TELCOIN && address(defi.feeToken) != address(0)) {
if (defi.aggregator == address(0) || defi.swapData.length == 0)
revert ZeroValueInput("BUYBACK");
}
0x73696d616f
Medium
AmirX:_verifyDefiSwap()does not check if the value of thesafeisaddress(0)in spit of the readmeSummary
AmirX:_verifyDefiSwap() does not check if
defi.safeisaddress(0), which means that inAmirX:_buyBack()remaining POL/token balances may be sent toaddress(0), breaking the readme:Root Cause
In
AmirX:264,defi.safeis not check foraddress(0).Internal pre-conditions
None.
External pre-conditions
None.
Attack Path
AmirX:swap()with afeeTokenother thanTelcoinandaddress(0)and adefi.safeofaddress(0), sending tokens toaddress(0).Impact
The tokens are sent to
address(0)instead of the safe contrarily to the readme.PoC
Mitigation
Add
defi.safecheck: