Submission Details
Severity:
Missing `Address(0)` Check
## Summary
Missing `address(0)` check for `marketMakingEngineConfiguration.vaultDepositAndRedeemFeeRecipient` in
`VaultRouterBranch::deposit`
## Vulnerability Details
During the deposition of a given amount of collateral assets into the provided vault in exchange for index tokens, fees are
deducted from the amount of assets being deposited and sent to
`marketMakingEngineConfiguration.vaultDepositAndRedeemFeeRecipient`.
```javascript
if (ctx.assetFees > 0) {
IERC20(ctx.vaultAsset).safeTransferFrom(
msg.sender,
marketMakingEngineConfiguration.vaultDepositAndRedeemFeeRecipient,
ctx.assetFees,
);
}
```
However, there is no check if the address `marketMakingEngineConfiguration.vaultDepositAndRedeemFeeRecipient` has been set.
## Impact
Tranfer fee(`ctx.assetFees`) to an `address(0)` leading to burning of fees.
## Recommendations
Add a check before the transfer operation.
```diff
+ error InvalidAddress();
.
.
+ if(marketMakingEngineConfiguration.vaultDepositAndRedeemFeeRecipient == address(0)) {
+ revert InvalidAddress();
+ }
if (ctx.assetFees > 0) {
IERC20(ctx.vaultAsset).safeTransferFrom(
msg.sender,
marketMakingEngineConfiguration.vaultDepositAndRedeemFeeRecipient,
ctx.assetFees,
);
}
```
Prize pool breakdown
Total prize
70,000 USDC
nSLOC
3,25821
USDC / LOC
66,500
3,500
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.