ghoul-sol
commented
3 years ago There are no significant consequences other than redeployment of the contract and it still requires human error. This is a best practice recommendation ergo non-critical
Open code423n4 opened 3 years ago
ghoul-sol
commented
3 years ago There are no significant consequences other than redeployment of the contract and it still requires human error. This is a best practice recommendation ergo non-critical
Handle
leastwood
Vulnerability details
Impact
There is currently no input validation done on the
Router.initialize()andNoteERC20.initialize()functions, potentially leading to an initialized state where the contracts have no owner and the deployer needs to re-deploy the contract to have it working properly.Proof of Concept
https://github.com/code-423n4/2021-08-notional/blob/main/contracts/external/Router.sol#L63-L92 https://github.com/code-423n4/2021-08-notional/blob/main/contracts/external/governance/NoteERC20.sol#L90-L108
Tools Used
Manual code review
Recommended Mitigation Steps
Perform zero address checks for the
owner_,pauseRouter_andpauseGuardian_inputs to ensure the contract isn't initialized into an unexpected state.