Platform: Code4rena
Start Date: 10/05/2022
Pot Size: $50,000 USDC
Total HM: 13
Participants: 100
Period: 5 days
Judge: HardlyDifficult
Total Solo HM: 1
Id: 122
League: ETH
Rank: 70/100
Findings: 1
Award: $54.89
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: hubble
Also found by: 0x1337, 0x1f8b, 0x4non, 0xDjango, 0xf15ers, 0xsanson, 242, Aits, AlleyCat, Bludya, BondiPestControl, BouSalman, BowTiedWardens, CertoraInc, Cityscape, Czar102, FSchmoede, Funen, Hawkeye, IllIllI, JDeryl, Kenshin, Kumpa, MaratCerby, MiloTruck, Picodes, Ruhum, TrungOre, VAD37, WatchPug, Waze, antonttc, bobirichman, catchup, cccz, cryptphi, csanuragjain, delfin454000, dipp, dirk_y, djxploit, eccentricexit, ellahi, fatherOfBlocks, hake, hansfriese, hickuphh3, horsefacts, hyh, jah, joestakey, mics, minhquanym, pedroais, pmerkleplant, radoslav11, reassor, rfa, robee, seanamani, shenwilly, shung, sikorico, sorrynotsorry, sseefried, z3s
54.8931 USDC - $54.89
Low+: Passing zero address does not revert when creating new vault for ERC20 token.
in cally.sol:function createVault, if you pass address token as address(0) along with TokenType.ERC20, a new zero'd useless vault gets created:
[71840] Cally::createVault(0, 0x0000000000000000000000000000000000000000, 0, 7, 0, 0, 1) │ ├─ emit Transfer(from: 0x0000000000000000000000000000000000000000, to: TestCreateVault: [0xb4c79dab8f259c7aee6e5b2aa729821864227e84], id: 3) │ ├─ emit NewVault(vaultId: 3, from: TestCreateVault: [0xb4c79dab8f259c7aee6e5b2aa729821864227e84], token: 0x0000000000000000000000000000000000000000) │ ├─ [0] 0x0000…0000::transferFrom(TestCreateVault: [0xb4c79dab8f259c7aee6e5b2aa729821864227e84], Cally: [0xf5a2fe45f4f1308502b1c136b9ef8af136141382], 0) │ │ └─ ← () │ └─ ← 3
This is because SafeTransferLib.sol:safeTransferFrom return true as both assembly logic operations result in 1 when applying a call to zero address.
(in case of ERC721 it correctly reverts)
add a require(token != address(0), "zero address") check to prevent zero asset vaults from being created.