The ZlpVault::redeem
function does not include a check to ensure that neither the receiver
nor the owner
addresses are zero addresses before proceeding with the transaction. This is important because sending tokens to a zero address can result in assets being lost permanently.
If the receiver
or owner
is the zero address, tokens may be lost as they would be sent to the address 0x0000000000000000000000000000000000000000
Allowing zero addresses to be used could potentially open the contract to malicious behavior
Add checks at the beginning of the redeem
function to ensure that the receiver
and owner
addresses are not zero addresses.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.