search

code-423n4 / 2022-05-factorydao-findings

1 stars 1 forks source link

Missing zero address check in constructor may lead to zero Tax #257

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L75-L78

Vulnerability details

Impact

Due to a missing zero address check of _globalBeneficiary in the constructor on #L75 of PermissionlessBasicPoolFactory.sol , a new globalTaxPerCapita cannot be set in setGlobalTax() function.

Assume _globalBeneficiary and _globalTaxPerCapita are both set to zero by mistake during contract creation, then the taxPerCapita will always be 0 for every token put into the pool leading to Pool Creator not earning any tax revenue.

Proof of Concept

https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L75-L78

Tools Used

Manual review

Recommended Mitigation Steps

Consider adding zero address check in the PermissionlessBasicPoolFactory.sol constructor.

illuzen commented 2 years ago

Duplicate #68

gititGoro commented 2 years ago

Zero checks in the constructor hardly count as QA. Marking as invalid.