createHATPaymentSplitter function doesn't check for duplicate addresses, zero addresses, and length of both parameter arrays #56

hats-bug-reporter · 2023-11-04T06:17:56Z

Github username: @ololade97
Submission hash (on-chain): 0x433ac82f0d8f9656352c9cb52c78a6a65b3471c1c2900beae649de71d66fec0a
Severity: high

Description:
Description
According to the Openzeppelin documentation, when implementing a PaymentSplitter, all addresses in payees must be non-zero. Both arrays must have the same non-zero length, and there must be no duplicates in payees.

See here:
https://docs.openzeppelin.com/contracts/2.x/api/payment

In the createHATPaymentSplitter function, the above are not checked.

Attachments
https://github.com/hats-finance/hats-contracts/blob/0d6ebbde912bc272d9b310140d434ee2aacd36d3/contracts/HATPaymentSplitterFactory.sol#L17-L22

Proof of Concept (PoC) File

https://docs.openzeppelin.com/contracts/2.x/api/payment

Revised Code File (Optional)

jellegerbrandy · 2023-11-05T17:17:55Z

These checks are implemented in the OZ code

hats-bug-reporter bot added the bug Something isn't working label Nov 4, 2023

jellegerbrandy added the invalid This doesn't seem right label Nov 5, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

createHATPaymentSplitter function doesn't check for duplicate addresses, zero addresses, and length of both parameter arrays #56

createHATPaymentSplitter function doesn't check for duplicate addresses, zero addresses, and length of both parameter arrays #56

hats-bug-reporter bot commented Nov 4, 2023

jellegerbrandy commented Nov 5, 2023

createHATPaymentSplitter function doesn't check for duplicate addresses, zero addresses, and length of both parameter arrays #56

createHATPaymentSplitter function doesn't check for duplicate addresses, zero addresses, and length of both parameter arrays #56

Comments

hats-bug-reporter bot commented Nov 4, 2023

jellegerbrandy commented Nov 5, 2023