Submission Details
Impact:
Likelihood:
Missing Zero Address Validation
Description
The `withdrawTokens` function allows transferring tokens to the zero address, resulting in permanent fund loss.
function withdrawTokens(address token, address to, uint256 amount) external onlyOwner {
@> IERC20(token).transfer(to, amount); // No validation for `to` parameter
emit TokensWithdrawn(to, token, amount);
}
Risk
Impact:
-
Tokens sent to `address(0)` are irrecoverable
-
No validation prevents accidental destruction of funds
-
Users cannot rely on contract safety measures
Proof of Concept
Add the following to `RebateFiHookTest.t.sol`
function test_WithdrawTokensToZeroAddress() public {
reFiToken.mint(address(rebateHook), 100 ether);
// Successfully transfers 100 ETH to zero address
rebateHook.withdrawTokens(address(reFiToken), address(0), 100 ether);
assertEq(reFiToken.balanceOf(address(0)), 100 ether); // Funds permanently lost
}
Recommended Mitigation
function withdrawTokens(address token, address to, uint256 amount) external onlyOwner {
+ require(to != address(0), "Cannot withdraw to zero address");
+ require(token != address(0), "Invalid token address");
IERC20(token).transfer(to, amount);
emit TokensWithdrawn(token, to, amount);
}
Rewards breakdown
nSLOC
150This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.