code-423n4 / 2021-04-vader-findings

1 stars 0 forks source link

Lack of input validation in init() function of DAO.sol #170

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

0xRajeev

Vulnerability details

Impact

init() function initialises various critical addresses of different contracts. However, there is no zero-address validation of the address parameters. Using a zero address by mistake will require redeployment because initialization can be done only once due to the inited check.

Proof of Concept

https://github.com/code-423n4/2021-04-vader/blob/3041f20c920821b89d01f652867d5207d18c8703/vader-protocol/contracts/DAO.sol#L46-L53

Tools Used

Manual Analysis

Recommended Mitigation Steps

Add zero-address validation for all the address parameters of init() function.

strictly-scarce commented 3 years ago

https://github.com/code-423n4/2021-04-vader-findings/issues/42

dmvt commented 3 years ago

duplicate of #12