Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Token Paymaster>Medium findings>Emergency withdraw functions are missing zero address checks
GeneralOverview
Findings
Medium (1)Emergency withdraw functions are missing zero address checks
Low (1)
Informational (1)
Threat ModelsWhat are threat models?BiconomyTokenPaymaster.solChainlinkOracleAggregator.solUSDCPriceFeedPolygon.sol
Audit ResultsSummary
Category: Coding Mistakes

Emergency withdraw functions are missing zero address checks

Medium Severity
Low Impact
Low Likelihood

Description

The withdrawERC20(), withdrawERC20Full(), withdrawMultipleERC20(), and withdrawMultipleERC20Full() are emergency withdrawal functions that can be called by the owner to withdraw ERC20 tokens that were mistakenly sent to the Paymaster contract. These tokens are withdrawn to a specified target address.

Impact

The emergency withdraw functions are missing zero address checks for the target address that the tokens will be withdrawn to. If the owner attempts to withdraw a substantial amount of tokens and accidentally sets target to address(0), the tokens will be lost forever.

Recommendations

Consider adding in checks to ensure that target is not equal to address(0). This has already been done in the withdrawAllNative() function.

Remediation

Biconomy Labs implemented a fix for this issue in commit a88357ef2.

Zellic © 2024Back to top ↑