Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Missing Zero Address Check in `ZlpVault::Withdraw` Function

smartx

Vulnerability Details

The ZlpVault::withdraw function lacks a check to validate that the receiver and owner addresses are not the zero address (address(0)). In a scenario where either of these addresses is set to the zero address, it could lead to unintended behavior, such as sending assets to an invalid address.

function withdraw(
uint256 assets,
address receiver,
address owner
)
public
override
onlyMarketMakingEngine
returns (uint256)
{
return super.withdraw(assets, receiver, owner);
}

Impact

Allowing the receiver or owner to be a zero address introduces significant risks to the contract like:

  1. Loss of assets if funds are sent to the zero address.

  2. Potential malicious actors could exploit this vulnerability to cause loss of funds or disrupt contract functionality.

Tools Used

Manual code review

Recommendations

Implement input validation to ensure that the receiver and owner addresses are not the zero address before performing any withdrawal operations.

require(receiver != address(0), "Receiver address cannot be zero");
require(owner != address(0), "Owner address cannot be zero");
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.