There are checks for the validity of token and amount, but not for receiver
Closed this issue · 1 comments
contract-whale commented
function createLockUp(address token, bool isERC20, uint256 amount, uint40 unlockTime, address receiver, string calldata title) external {
if (token == address(0)) revert LockUp__InvalidParams('token');
if (amount == 0) revert LockUp__InvalidParams('amount');
if (unlockTime <= block.timestamp) revert LockUp__InvalidParams('unlockTime');
// Deposit total amount of tokens to this contract
if (isERC20) {
IERC20(token).safeTransferFrom(msg.sender, address(this), amount);
} else {
// Only support an ERC1155 token at id = 0
IERC1155(token).safeTransferFrom(msg.sender, address(this), 0, amount, "");
}
// Create a new lockUp
lockUps.push();
LockUp storage lockUp = lockUps[lockUps.length - 1];
lockUp.token = token;
lockUp.isERC20 = isERC20;
lockUp.unlockTime = unlockTime;
// lockUp.unlocked = false;
lockUp.amount = amount;
lockUp.receiver = receiver;
lockUp.title = title;
emit LockedUp(lockUps.length - 1, token, isERC20, receiver, amount, unlockTime);
}
My description
In the Locker contract's createLockUp function, there are checks for the validity of token and amount, but not for receiver.
Impact
Without validating the receiver address, the function could lock funds with no way to retrieve them if the address is incorrect (like address(0)).
My Suggestion
Implement a check to ensure that receiver is not address(0).
sydneyitguy commented
Duplicated with: #12