Insufficient Input Validation in setPool() Function
Summary
The setPool() function in the contract does not validate that the p.collateralToken address provided is not zero.
Vulnerability Details
The setPool() function should validate that p.collateralToken is a valid contract addresses, because during operations of setPool() there are no actions taken that may call this contract and result in an evm revert (the rest of the contract seems to employ built in solidity functionality for gas efficient reversions and checks i.e. arithmetic underflow and overflow)
Impact
Correct Functionality of the Lender.sol contract is affected, tests below confirm.
Failure to validate the p.collateralToken input can lead to loans being created with an invalid collateral token, which may lead to loss of funds or other unexpected behaviour.
Tools Used
Manual Review
Recommendations
Add necessary input validations to ensure that the p.collateralToken address is not zero.
Whilst this can be guarded on the frontend inputs, and I have seen via public commentary on Twitter that checks such as these should be disregarded to save gas, the ultimate checks are the smart contracts and the guard rails should ultimately be set here
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.