///@dev Change the contract that handles bribes
function setBribesProcessor(IBribesProcessor newBribesProcessor) external {
_onlyGovernance();
bribesProcessor = newBribesProcessor;
}
The bribeProcessor is not set in the initialize function, so it starts with zero address. Also, setBribesProcessor can set the bribesProcessor to the zero address.
Although no amount can be transferred to zero address thanks to the usage of safeTransfer, sweepRewardToken and claimBribesFromHiddenHand will revert when the bribesProcessor is not set.
To mitigate this, the bribesProcessor can be set in the initialize function and add zero address check to setBribesProcessor.
jack-the-pug
commented
2 years ago
Upgraded from #45:
Missing zero address check for
bribesProcessorThe bribeProcessor is not set in the
initializefunction, so it starts with zero address. Also,setBribesProcessorcan set thebribesProcessorto the zero address. Although no amount can be transferred to zero address thanks to the usage ofsafeTransfer,sweepRewardTokenandclaimBribesFromHiddenHandwill revert when thebribesProcessoris not set. To mitigate this, thebribesProcessorcan be set in theinitializefunction and add zero address check tosetBribesProcessor.