Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Staking>Informational findings>Check validity of parameters
GeneralOverview
Findings
High (1)
Medium (1)
Informational (2)Check validity of parametersSet range limits for parameters
DiscussionDeployment failure could waste gasTesting coverage assessment
Threat ModelWhat are threat models?BonusDistributor.solRewardDistributor.solRewardTracker.solStakingAdmin.solStakingRouter.solVester.solVesterNoReserve.sol
Audit ResultsSummary
Category: Business Logic

Check validity of parameters

Informational Severity
Informational Impact
Low Likelihood

Description

Parameters such as the _gsPool in StakingRouter's functions could be checked for validity. For example,

function withdrawEsGsForPool(address _gsPool) external nonReentrant {
    IVester(poolTrackers[_gsPool].vester).withdrawForAccount(msg.sender);
}

lacks a check that the _gsPool is a valid address in the poolTrackers mapping.

Impact

Failure to properly check the validity of parameters could lead to unexpected behavior, which in this case would have resulted in a failed external call. It is a good security practice to ensure the validity of parameters before using them, especially when these refer to arbitrary addresses.

Recommendations

In the function above, the _gsPool parameter could be checked that it exists within the poolTrackers mapping. This would prevent the function from being called with an invalid _gsPool address.

function withdrawEsGsForPool(address _gsPool) external nonReentrant {
+   require(poolTrackers[_gsPool].vester != address(0), "StakingRouter: Pool not found");
    IVester(poolTrackers[_gsPool].vester).withdrawForAccount(msg.sender);
}

Remediation

Zellic © 2024Back to top ↑