search

Gravita-Protocol / Gravita-SmartContracts

GNU General Public License v3.0
48 stars 31 forks source link

[GRV-01S] Inexistent Sanitization of Input Addresses #371

Closed 0xfornax closed 1 year ago

0xfornax commented 1 year ago

GRV-01S: Inexistent Sanitization of Input Addresses

Type Severity Location
Input Sanitization GRVTStaking.sol:L60-L78

Description:

The linked function(s) accept address arguments yet do not properly sanitize them.

Impact:

The presence of zero-value addresses, especially in constructor implementations, can cause the contract to be permanently inoperable. These checks are advised as zero-value inputs are a common side-effect of off-chain software related bugs.

Example:

function setAddresses(
    address _debtTokenAddress,
    address _feeCollectorAddress,
    address _grvtTokenAddress,
    address _treasuryAddress,
    address _vesselManagerAddress
) external onlyOwner {
    require(!isSetupInitialized, "Setup is already initialized");

    debtTokenAddress = _debtTokenAddress;
    feeCollectorAddress = _feeCollectorAddress;
    grvtToken = IERC20Upgradeable(_grvtTokenAddress);
    treasuryAddress = _treasuryAddress;
    vesselManagerAddress = _vesselManagerAddress;

    isAssetTracked[ETH_REF_ADDRESS] = true;
    ASSET_TYPE.push(ETH_REF_ADDRESS);
    isSetupInitialized = true;
}

Recommendation:

We advise some basic sanitization to be put in place by ensuring that each address specified is non-zero.

0xfornax commented 1 year ago

This contract was not part of the audit scope and is not going to be deployed yet.