Lack of zero address check in stakeFor() can lead to loss of funds
#237
Labels
bug
Something isn't working
duplicate
This issue or pull request already exists
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Comments
code423n4
added
2 (Med Risk)
0xMaharishi
added
invalid
|
Any sort of dead address will have the same effect, not just address(0) |
|
similar to similar to #223 |
|
The difference between this issue and #223 is that this function is callable by anyone. As a result the likelihood that a zero address check will prevent a pebkac user error or even a frontend code bug is much higher. Also, funds are at direct risk here given external factors. That makes it textbook medium risk. |
This was referenced Jul 8, 2022
Closed
|
Per #364 (comment) I have decided to downgrade this to QA. |
dmvt
added
duplicate
|
Grouping this with the warden’s QA report, #246 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L138
Vulnerability details
Impact
In
AuraBalRewardPool.sol, thestakeFor()function is lacking a crucial check against address(0). An incorrect input or wallet defaulting to the zero address will immediately cause loss of funds upon deposit.A previous submission similar to this can be found here
Proof of Concept
If
AuraBalRewardPool.stakeFor()is called with_forequal to address(0), the amount will be staked for the zero address, not any real user. This amount will not be able to be withdrawn.Tools Used
Manual review
Recommended Mitigation Steps
Add a simple zero-address check on the
stakeFor()function.The text was updated successfully, but these errors were encountered: