lockFor() in BkdLocker don't check that user is not 0x0 and if user by mistake call this function with value 0x0 s/he is going to lose his funds. #166
Labels
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/BkdLocker.sol#L227-L232
Vulnerability details
Impact
function
lockFor()
inBkdLocker
is supposed to lock 'msg.senderfunds and increase
useraddress funds but if anyone one calls it with
0x0` address by mistake then his funds will be locked forever.Proof of Concept
This is
lockFor()
code inBkdLocker
:As you can see there is no check that
user
is not0x0
. code calls_userCheckpoint()
which will increase0x0
balances in the contract and there is no check in_userCheckpoint()
either and user can lose all his funds just by one simple mistake.Tools Used
VIM
Recommended Mitigation Steps
check that
user
is not0x0
inlcokFor
The text was updated successfully, but these errors were encountered: