048.md

ctf_sec

medium

BufferBinaryPool.sol#_beforeTokenTransfer does not handle address(to) == address(0) when burning the pool token.

Summary

BufferBinaryPool.sol#_beforeTokenTransfer does not handle address(to) == 0

Vulnerability Detail

When the token is transferred, the _beforeTokenTransfer hood is called. but the function does handle the case when address(to) == address(0)

  function _beforeTokenTransfer(
      address from,
      address to,
      uint256 value
  ) internal override {
      if (!isHandler[from] && !isHandler[to] && from != address(0)) {
          _updateLiquidity(from);
          require(
              liquidityPerUser[from].unlockedAmount >= value,
              "Pool: Transfer of funds in lock in period is blocked"
          );
          liquidityPerUser[from].unlockedAmount -= value;
          liquidityPerUser[to].unlockedAmount += value;
      }
  }

Impact

when the token is burned, the address(from) user lose the unlockedAmount and this unlockedAmount is falsely creditted to address(0)

Code Snippet

https://github.com/sherlock-audit/2022-11-buffer/blob/main/contracts/contracts/core/BufferBinaryPool.sol#L337-L353

Tool used

Manual Review

Recommendation

We recommend the project handle the case when address(to) == address(0) when the pool token is burned.

  function _beforeTokenTransfer(
      address from,
      address to,
      uint256 value
  ) internal override {
      if (!isHandler[from] && !isHandler[to] && from != address(0)) {
          _updateLiquidity(from);
          require(
              liquidityPerUser[from].unlockedAmount >= value,
              "Pool: Transfer of funds in lock in period is blocked"
          );
          liquidityPerUser[from].unlockedAmount -= value;
	  if(to != address(0) {
	     liquidityPerUser[to].unlockedAmount += value;
          }
      }
  }