-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing parameter validation #81
Comments
ATokenYieldSource PR: pooltogether/aave-yield-source#19 |
BadgerYieldSource PR: pooltogether/badger-yield-source#6 |
SushiYieldSource PR: pooltogether/sushi-pooltogether#16 |
ControlledToken PR: pooltogether/pooltogether-pool-contracts#306 |
StakePrizePool PR: pooltogether/pooltogether-pool-contracts#314 |
@asselstine I'm not sure we want to check for non zero address in the PrizePool |
Yeah @PierrickGT I don't think the |
LGTM |
Handle
cmichel
Vulnerability details
Some parameters of functions are not checked for invalid values:
StakePrizePool.initialize
:address _stakeToken
not checked for non-zero or contractControlledToken.initialize
:address controller
not checked for non-zero or contractPrizePool.withdrawReserve
:address to
not checked for non-zero, funds will be lost when sending to zero addressATokenYieldSource.initialize
:address _aToken, _lendingPoolAddressesProviderRegistry
not checked for non-zero or contractBadgerYieldSource.initialize
:address badgerSettAddr, badgerAddr
not checked for non-zero or contractSushiYieldSource.constructor
:address _sushiBar, _sushiAddr
not checked for non-zero or contractImpact
Wrong user input or wallets defaulting to the zero addresses for a missing input can lead to the contract needing to redeploy or wasted gas.
Recommended Mitigation Steps
Validate the parameters.
The text was updated successfully, but these errors were encountered: