Open code423n4 opened 3 years ago
We are going to verify manually that the governor is set properly in the deployment scripts, if its not run properly, we are prepared to redeploy. Not a bug.
As with #9, I'm categorising this as an informational issue.
Handle
0xRajeev
Vulnerability details
Impact
Input validation on address parameters checking for zero addresses is always recommended. This becomes especially critical for parameters which cannot be later changed (if/when zero addresses are used mistakenly) and will force redeployment of contracts.
The constructor of MapleGlobals does not input validate the governor, Maple protocol token or admin parameters for zero addresses. While admin can be reset via setAdmin, Maple protocol token or the critical governor address that is the most significant address for access control in the protocol, cannot be reset and will require contract redeployment. Changing the governor address via setPendingGovernor+acceptGovernor itself requires the calling account to be a valid governor account which is not the case for a zero address.
Proof of Concept
https://github.com/maple-labs/maple-core/blob/355141befa89c7623150a83b7d56a5f5820819e9/contracts/MapleGlobals.sol#L74-L96
Tools Used
Manual Analysis
Recommended Mitigation Steps
Add zero address input validation on all address parameters, especially the critical ones which cannot be reset later such as the governor address.