ctf_sec
medium
BufferBinaryPool.sol#_beforeTokenTransfer does not handle address(to) == address(0) when burning the pool token.
BufferBinaryPool.sol#_beforeTokenTransfer does not handle address(to) == 0
When the token is transferred, the _beforeTokenTransfer hood is called. but the function does handle the case when address(to) == address(0)
function _beforeTokenTransfer(
address from,
address to,
uint256 value
) internal override {
if (!isHandler[from] && !isHandler[to] && from != address(0)) {
_updateLiquidity(from);
require(
liquidityPerUser[from].unlockedAmount >= value,
"Pool: Transfer of funds in lock in period is blocked"
);
liquidityPerUser[from].unlockedAmount -= value;
liquidityPerUser[to].unlockedAmount += value;
}
}
when the token is burned, the address(from) user lose the unlockedAmount and this unlockedAmount is falsely creditted to address(0)
Manual Review
We recommend the project handle the case when address(to) == address(0) when the pool token is burned.
function _beforeTokenTransfer(
address from,
address to,
uint256 value
) internal override {
if (!isHandler[from] && !isHandler[to] && from != address(0)) {
_updateLiquidity(from);
require(
liquidityPerUser[from].unlockedAmount >= value,
"Pool: Transfer of funds in lock in period is blocked"
);
liquidityPerUser[from].unlockedAmount -= value;
if(to != address(0) {
liquidityPerUser[to].unlockedAmount += value;
}
}
}