lucas-manuel
commented
3 years ago We actually are not going to address this, we do not think this is a bug. The governor will manually verify non-zero addresses.
Open code423n4 opened 3 years ago
lucas-manuel
commented
3 years ago We actually are not going to address this, we do not think this is a bug. The governor will manually verify non-zero addresses.
Arachnid
commented
3 years ago Duplicate of #10
Handle
0xRajeev
Vulnerability details
Impact
Input validation on address parameters checking for zero addresses is always recommended. This becomes especially critical for parameters which cannot be later changed (if/when zero addresses are used mistakenly) and will force redeployment of contracts.
The setGlobals() function does not input validate the newGlobals parameter for zero address. Using a zero address accidentally here cannot be corrected by calling setGlobals() again because it is access protected by _isValidGovernor() check which itself uses the globals variable to access the governor address. Such an accidental zero-address assignment will force contract redeployment.
Proof of Concept
https://github.com/maple-labs/maple-core/blob/355141befa89c7623150a83b7d56a5f5820819e9/contracts/LoanFactory.sol#L50-L53
https://github.com/maple-labs/maple-core/blob/355141befa89c7623150a83b7d56a5f5820819e9/contracts/LoanFactory.sol#L152-L154
Tools Used
Manual Analysis
Recommended Mitigation Steps
Add zero address input validation on all address parameters, especially the critical ones which cannot be reset later such as the globals address.