search

Gravita-Protocol / Gravita-SmartContracts

GNU General Public License v3.0
49 stars 31 forks source link

[DTN-02S] Inexistent Sanitization of Input Addresses #38

Closed 0xfornax closed 1 year ago

0xfornax commented 1 year ago

DTN-02S: Inexistent Sanitization of Input Addresses

Type Severity Location
Input Sanitization DebtToken.sol:L42-L52

Description:

The linked function(s) accept address arguments yet do not properly sanitize them.

Impact:

The presence of zero-value addresses, especially in constructor implementations, can cause the contract to be permanently inoperable. These checks are advised as zero-value inputs are a common side-effect of off-chain software related bugs.

Example:

constructor(
    address _vesselManagerAddress,
    address _stabilityPoolAddress,
    address _borrowerOperationsAddress,
    address _timelockAddress
) ERC20("GRAI", "GRAI") {
    vesselManagerAddress = _vesselManagerAddress;
    timelockAddress = _timelockAddress;
    stabilityPool = IStabilityPool(_stabilityPoolAddress);
    borrowerOperationsAddress = _borrowerOperationsAddress;
}

Recommendation:

We advise some basic sanitization to be put in place by ensuring that each address specified is non-zero.

0xfornax commented 1 year ago

The setAddresses function is called only once by our deployment script. As a mitigation, we'll add these checks to the script to minimize deployment costs and achieve the same end result.