Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Bond Protocol>Informational findings>Lack of input validation
GeneralOverview
Findings
Medium (2)
Low (1)
Informational (3)Lack of input validationInvalid array indexesIncorrectly set market
DiscussionRedundant safeTransfer callAssure token is activeRemove unchecked blockDouble-counted auctioneer
Threat ModelsWhat are threat models?BondAggregator.solBondBaseCallback.solBondBaseSDA.solBondBaseTeller.solBondFixedExpirySDA.solBondFixedExpiryTeller.solBondFixedTermSDA.solBondFixedTermTeller.sol
Audit ResultsResults
Category: Business Logic

Lack of input validation

Informational Severity
Low Impact
Low Likelihood

Description

The registerMarket function does not validate payoutToken_ and quoteToken_ addresses for a zero address value.

Impact

Such a market will be impossible to use, so it is worth avoiding creating markets with zero token addresses.

Recommendations

We recommend implementing zero-address checks, such as the ones shown below:

function registerMarket(ERC20 payoutToken_, ERC20 quoteToken_)
    external
    override
    returns (uint256 marketId)
{
    if (!_whitelist[msg.sender]) revert Aggregator_OnlyAuctioneer();
    require(payoutToken_ != address(0) && quoteToken_ != address(0), "zero address");
    ...
}

Remediation

Bond Labs acknowledged this finding and implemented a fix in commit e9042fc7.

Zellic © 2024Back to top ↑