Submission Details
Impact:
Likelihood:
Missing Input Validation in Stratax::recoverTokens Allows Invalid Parameters
Author Revealed upon completion
Missing Input Validation in Stratax::recoverTokens Allows Invalid Parameters
Description:
Stratax::recoverTokens does not validate the inputs _token and _amount:
function recoverTokens(address _token, uint256 _amount) external onlyOwner {
IERC20(_token).transfer(owner, _amount);
}
This allows:
_token == address(0)(will revert or behave unexpectedly)_amount == 0(no-op calls that may hide operator mistakes)
Impact:
Low. This is mainly an operational robustness issue that can lead to misconfiguration calls and confusing behavior during emergency recovery.
Recommended Mitigation:
Add basic parameter checks:
function recoverTokens(address _token, uint256 _amount) external onlyOwner {
+ require(_token != address(0), "Invalid token");
+ require(_amount > 0, "Invalid amount");
IERC20(_token).transfer(owner, _amount);
}
Rewards breakdown
nSLOC
356This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.