Open code423n4 opened 3 years ago
I disagree. Validating that an address is not zero doesn't protect against entering the wrong address, so it is at best a very partial protection.
As with all contract building, the right approach is to script the contract deployment, with input parameters in files. A testing file should be included that verifies the deployment was correct. The deployment codebase is then peer-reviewed. Finally, the deployment is first done in a mainnet fork and tested. Only then is done on mainnet and tested.
Same as for #52, it's non-critical at best
Handle
JMukesh
Vulnerability details
Impact
since the parameter in constructor are used to initialize the state variable proper input validation should be there otherwise error in these state variable can be lead to redeployment of contract
Proof of Concept
https://github.com/code-423n4/2021-08-yield/blob/4dc46470e616dd0cbd9db9b4742e36c4d809e02c/contracts/utils/EmergencyBrake.sol#L34
https://github.com/code-423n4/2021-08-yield/blob/4dc46470e616dd0cbd9db9b4742e36c4d809e02c/contracts/utils/TimeLock.sol#L29
Tools Used
manual review
Recommended Mitigation Steps
add zero address validation