Due to a missing zero address check of _globalBeneficiary in the constructor on #L75 of PermissionlessBasicPoolFactory.sol , a new globalTaxPerCapita cannot be set in setGlobalTax() function.
Assume _globalBeneficiary and _globalTaxPerCapita are both set to zero by mistake during contract creation, then the taxPerCapita will always be 0 for every token put into the pool leading to Pool Creator not earning any tax revenue.
Lines of code
https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L75-L78
Vulnerability details
Impact
Due to a missing zero address check of
_globalBeneficiary
in the constructor on #L75 of PermissionlessBasicPoolFactory.sol , a new globalTaxPerCapita cannot be set in setGlobalTax() function.Assume
_globalBeneficiary
and_globalTaxPerCapita
are both set to zero by mistake during contract creation, then the taxPerCapita will always be 0 for every token put into the pool leading to Pool Creator not earning any tax revenue.Proof of Concept
https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L75-L78
Tools Used
Manual review
Recommended Mitigation Steps
Consider adding zero address check in the PermissionlessBasicPoolFactory.sol constructor.