search

code-423n4 / 2022-03-volt-findings

0 stars 0 forks source link

Setting the minter address to address(0) can lead to breaking the contract set. #3

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-03-volt/blob/main/contracts/vcon/Vcon.sol#L110-L117

Vulnerability details

Impact

The highlighted issue can lead to breaking the functionality of the contract set.

Proof of Concept

At certain set functions in the codebase, we are allowing setting the values to address(0) or the case where `old address = new address. This was observed in the following code snippets:

https://github.com/code-423n4/2022-03-volt/blob/main/contracts/vcon/Vcon.sol#L110-L117

The above snippet allows address(0) to be set as the minter address, which could lead to nobody being able to mint tokens.

Tools Used

Manual checks

Recommended Mitigation Steps

The solution is to add a check to ensure that address(0) is not used as input for these set functions. Ensure that all other update functions also check for the same condition.

ElliotFriedman commented 2 years ago

Vcon.sol was not in scope for this contest so this issue is not valid https://code4rena.com/contests/2022-03-volt-protocol-contest