search

code-423n4 / 2021-06-gro-findings

0 stars 1 forks source link

Missing zero-address checks in constructors #61

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

0xRajeev

Vulnerability details

Impact

Checking addresses against zero-address during initialization or during setting is a security best-practice. However, such checks are missing in address variable initializations of some constructors.

Impact: Allowing zero-addresses will lead to contract reverts and force redeployments if there are no setters for such address variables.

Proof of Concept

https://github.com/code-423n4/2021-06-gro/blob/091660467fc8d13741f8aafcec80f1e8cf129a33/contracts/common/FixedContracts.sol#L17-L20

https://github.com/code-423n4/2021-06-gro/blob/091660467fc8d13741f8aafcec80f1e8cf129a33/contracts/common/FixedContracts.sol#L63-L66

https://github.com/code-423n4/2021-06-gro/blob/091660467fc8d13741f8aafcec80f1e8cf129a33/contracts/common/FixedContracts.sol#L82-L86

https://github.com/code-423n4/2021-06-gro/blob/091660467fc8d13741f8aafcec80f1e8cf129a33/contracts/vaults/BaseVaultAdaptor.sol#L77-L78

https://github.com/code-423n4/2021-06-gro/blob/091660467fc8d13741f8aafcec80f1e8cf129a33/contracts/pools/LifeGuard3Pool.sol#L67-L69

Tools Used

Manual Analysis

Recommended Mitigation Steps

Add zero-address checks for all initializations/setters of all address state variables.

flabble-gro commented 3 years ago

Duplicate of #90

ghoul-sol commented 3 years ago

Duplicate of #90