2 matches found
Missing receiver validation in withdrawFrom
Lines of code Vulnerability details Impact The FETH.withdrawFrom function does not validate its to parameter. Funds can be lost if to is the zero address. Similar issues have been judged as medium recently, see Sandclock M-15 / Github issue Recommended Mitigation Steps Check that to != 0. --- The...
Users can unlock other users FETH tokens
Lines of code Vulnerability details Impact In FETH.sol the marketUnlockFor function which is called by the market contract does not ensure that funds can only be unlocked by the owner of the account. This opens the way for a user to unlock FETH tokens of arbitrary accounts. Proof of Concept Tools...