Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Zero-Check in External Call (to.call(callData))

glitchunter

Summary

In ParaSwapUtils.sol, line 24 executes an external call to the to address using to.call(callData). However, there is no validation to ensure that to is not address(0). If to is mistakenly set to address(0), the transaction will revert, potentially leading to denial of service or unintended contract behavior.

Vulnerability Details

Code (Line 24, ParaSwapUtils.sol)

(bool success, ) = to.call(callData);

  • Issue: to.call(callData) is executed without checking if to is address(0).

  • Risk: If to is zero, the contract execution will revert, which could break critical functionality relying on ParaSwap swaps.

Impact

An attacker (or a misconfigured contract) could exploit this issue by setting to = address(0), causing the swap to fail.

contract Attacker {
function attack(ParaSwapUtils target) external {
// Call ParaSwapUtils with address(0), which will cause an unintended revert
target.executeSwap(address(0), someCallData);
}
}

Expected Behavior

  • The transaction will fail due to an invalid call to address(0).

  • Any dependent operations relying on this swap execution will also fail.

  • Denial of Service (DoS): If an invalid address is used, swaps cannot be executed, breaking the contract’s intended functionality.

  • Unexpected Reverts: Calls that rely on to.call(callData) could fail in scenarios where to is mistakenly unset.

  • Potential Fund Loss: If external integrations assume that swaps will always succeed, unexpected failures could cause liquidity mismanagement.

Tools Used

Manual Review

Recommendations

Add a Zero-Check Before Calling to.call(callData)

Modify the function to ensure to is a valid address before executing the external call

require(to != address(0), "Invalid address for external call");
(bool success, ) = to.call(callData);
require(success, "External call failed");
Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Users mistake, only impacting themselves.

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Users mistake, only impacting themselves.

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!