Missing Input Validation for ERC20 Asset and Amount in `MarketMakingEngineConfiguration::distributeProtocolAssetReward`
Summary
The function MarketMakingEngineConfiguration::distributeProtocolAssetReward lacks input validation to ensure that the asset provided is a valid ERC20 token address and that the amount to be distributed is greater than zero. This can lead to unexpected behavior, such as transferring tokens from invalid addresses or performing transfers when the amount is zero, which could result in incorrect or malicious contract interactions.
Vulnerability Details
The function does not validate whether the asset address is a valid ERC20 token contract.
The amount parameter is not checked to ensure it is greater than zero before proceeding with the reward distribution.
Without this validation, an invalid address or a zero amount could lead to failed transactions, loss of funds, or unintended behaviors in the contract.
Impact
Invalid Asset Address: If the asset address is not a valid ERC20 token, the safeTransfer method will fail, potentially causing the transaction to revert unexpectedly, which could lead to a loss of funds or halted contract execution.
Zero Amount: If the amount is zero, the function may still attempt to distribute rewards, potentially causing errors or wasted gas usage for unnecessary transactions.
Tools Used
Manual code review.
Recommendations
Validate Asset.
Add a check to ensure the amount is greater than zero before proceeding with the distribution:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.