ghoul-sol
commented
3 years ago It's definitely a good practice to require non-zero address, however, it's not a threat. Severity should be 0.
Added to backlog, thanks!
Open code423n4 opened 3 years ago
ghoul-sol
commented
3 years ago It's definitely a good practice to require non-zero address, however, it's not a threat. Severity should be 0.
Added to backlog, thanks!
cemozerr
commented
3 years ago Both the impact and the likelihood of this bug is low, so rating this as non-critical.
Handle
shw
Vulnerability details
Impact
During the deployment of the contracts
CErc20andCErc20Immutable, both input parametersunderlying_andComptrollerInterfacelack a non-zero address check. InCEther, theComptrollerInterfaceis not required to be non-zero either. If any of them were provided as0accidentally, there is no way to change the values, and the contract should be redeployed.Proof of Concept
Referenced code: CErc20.sol#L23-L36 CErc20Immutable.sol#L24-L41 CEther.sol#L23-L37 CToken.sol#L28-L59 CToken.sol#L1154-L1171
Tools Used
None
Recommended Mitigation Steps
Add non-zero address checks in the constructor of the
CErc20,CErc20Immutable, andCEthercontracts.