Insufficient input validation may lead to loss of funds due to invalid or malicious input data. #183
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
🤖_00_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
Comments
c4-bot-8
added
2 (Med Risk)
howlbot-integration
bot
added
the
sufficient quality report
|
Note, this are not present in the automated finding report for known issues. Grouping all address(0) input validation checks together. They should all likely be at most QA and argubly invalid based on the following READ.ME information:
#101 would require a user error.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/ronin-chain/katana-operation-contracts/blob/27f9d28e00958bf3494fa405a8a5acdcd5ecdc5d/src/aggregate-router/base/Dispatcher.sol#L50
Vulnerability details
Proof of Concept
Insufficient Input Validation: The contract relies on user-supplied data but does not adequately validate these inputs, such as recipient or amount. Malicious or erroneous inputs could result in unintended transactions or loss of funds.
Proof of Concept: If a user provides a 0x0 recipient address, funds could be sent to an invalid address, effectively burning them. Another example would be overly high values for slippage in swap functions (amountOutMin).
User calls dispatch with recipient set to 0x0.
Funds are transferred to a zero address, making them unrecoverable.
Impact: Loss of funds due to invalid or malicious input data.
Recommended Mitigation Steps
Example:In Solidity, failing to validate addresses has led to several incidents of funds being sent to 0x0.
Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: