search

code-423n4 / 2023-08-arbitrum-findings

3 stars 3 forks source link

Missing validation to ensure that the _l2CoreGovTimelock parameter is not the zero address in the initialize function #246

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/ArbitrumFoundation/governance/blob/c18de53820c505fc459f766c1b224810eaeaabc5/src/security-council-mgmt/SecurityCouncilManager.sol#L115

Vulnerability details

Impact

The initialize function accepts a parameter _l2CoreGovTimelock and does check if it's a contract address using Address.isContract(). However, there's no explicit check to ensure that _l2CoreGovTimelock is not the zero address (0x0000000000000000000000000000000000000000), which is a common source of issues in Ethereum smart contracts.

Proof of Concept

Assigning the zero address to _l2CoreGovTimelock may lead to undesired behaviors, lost funds, or security vulnerabilities, depending on how _l2CoreGovTimelock is used throughout the contract.

Tools Used

Manual

Recommended Mitigation Steps

Add a check at the start of the initialize function to ensure that _l2CoreGovTimelock is not the zero address:

require(_l2CoreGovTimelock != address(0), "_l2CoreGovTimelock cannot be the zero address");

Assessed type

Invalid Validation

0xSorryNotSorry commented 1 year ago

0x0000000000000000000000000000000000000000 can't pass isContract validation anyways.

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as low quality report

c4-judge commented 1 year ago

0xean marked the issue as unsatisfactory: Invalid