Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing Input Validation in TradingAccount.withdrawMarginUsd Function

kevinkkien

Summary

The withdrawMarginUsd function in the TradingAccount library does not validate the recipient address before transferring tokens. If the recipient address is the zero address (address(0)), the tokens will be irrecoverably lost.

Vulnerability Details

The withdrawMarginUsd function is responsible for withdrawing margin collateral from a trading account and transferring it to a specified recipient. However, it does not include a check to ensure that the recipient address is not the zero address:

IERC20(collateralType).safeTransfer(recipient, amountToTransfer);

If the recipient address is mistakenly or maliciously set to the zero address, the safeTransfer function will still execute, resulting in the tokens being sent to an unusable address, effectively removing them from circulation.

Impact

Users could lose their margin collateral if it is accidentally or intentionally sent to the zero address.

Tools Used

Manual code review

Recommendations

Add a require statement before the safeTransfer call to ensure that the recipient address is not the zero address:

require(recipient != address(0), "Invalid recipient address");
IERC20(collateralType).safeTransfer(recipient, amountToTransfer);
Updates

Lead Judging Commences

inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Too generic

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.