Missing Validation for Invalid Position Token in `_redeemPositionToken` Can Lead to Unexpected Behavior
In the _redeemPositionToken function, the contract retrieves pool parameters using getPoolParametersByAddress(_positionToken), which returns a default Pool struct with collateralToken = address(0) if _positionToken is invalid (according to the comments here and its what is actually happening). However, the function does not explicitly check whether _pool.collateralToken is address(0), allowing execution to proceed with an unregistered wToken, which can result in unexpected behavior or failed transactions. The vulnerable code snippet is:
If an invalid _positionToken is provided, _pool.collateralToken will be address(0), causing _wTokenToCollateralToken[address(0)] to return address(0), leading to a false positive validation instead of reverting. This could result in unexpected behavior when calling _redeemWTokenPrivate, potentially affecting fund safety.
Impact
If an invalid _positionToken is provided, the function will attempt to process an unregistered or nonexistent wToken, leading to incorrect fund withdrawals or transaction failures due to interactions with address(0).
Mitigation
Explicitly check if _pool.collateralToken == address(0) and revert immediately to prevent processing an invalid position token:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.