Lack of zero-address check
Summary
There is no zero-address check.
Vulnerability Details
This is a medium risk vulnerability because it is possible to lose funds if any of the below addresses are set to a zero address. As a rule, there should always be checks to ensure that initialized addresses are never a zero address.
Instances:
https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Fees.sol#L20C1-L22C1
constructor(address _weth, address _staking) {
WETH = _weth;
staking = _staking;
}
https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Fees.sol#L26
function sellProfits(address _profits) public {
require(_profits != WETH, "not allowed");
uint256 amount = IERC20(_profits).balanceOf(address(this));
https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Lender.sol#L101
function setFeeReceiver(address _feeReceiver) external onlyOwner {
feeReceiver = _feeReceiver;
}
https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Staking.sol#L31
constructor(address _token, address _weth) Ownable(msg.sender) {
TKN = IERC20(_token);
WETH = IERC20(_weth);
}
Impact
Initialization of zero address may lead to loss of funds for both the protocol and the users.
Tools Used
Manual review and VS Code
Recommendations
Add a zero address require check.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.