Open code423n4 opened 3 years ago
It's definitely a good practice to require non-zero address, however, it's not a threat. Severity should be 0.
Added to backlog, thanks!
Both the impact and the likelihood of this bug is low, so rating this as non-critical.
Handle
shw
Vulnerability details
Impact
During the deployment of the contracts
CErc20
andCErc20Immutable
, both input parametersunderlying_
andComptrollerInterface
lack a non-zero address check. InCEther
, theComptrollerInterface
is not required to be non-zero either. If any of them were provided as0
accidentally, there is no way to change the values, and the contract should be redeployed.Proof of Concept
Referenced code: CErc20.sol#L23-L36 CErc20Immutable.sol#L24-L41 CEther.sol#L23-L37 CToken.sol#L28-L59 CToken.sol#L1154-L1171
Tools Used
None
Recommended Mitigation Steps
Add non-zero address checks in the constructor of the
CErc20
,CErc20Immutable
, andCEther
contracts.