Lines of code

https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/registry/AssetPluginRegistry.sol#L107

Vulnerability details

Impact

The deprecateAsset function in the AssetPluginRegistry contract does not validate if the _asset address is address(0).

This can lead to few issues:

Setting isDeprecated[address(0)] to true may cause unintended behavior since address(0) is often used as a sentinel value and marking it as deprecated might not be meaningful or appropriate.
If _asset is address(0), it might result in incorrect or unexpected state changes in the contract, potentially affecting other functionalities that depend on asset deprecation.

Proof of Concept

Call deprecateAsset function with _asset set to address(0).
The state change isDeprecated[address(0)] = true occurs without any validation, which could cause unintended consequences.

Tools Used

Manual Testing.

Recommended Mitigation Steps

Update the deprecateAsset function to include validation for the _asset parameter to ensure it is not address(0).

Updated Function:

function deprecateAsset(address _asset) external {
    if (!roleRegistry.isOwnerOrEmergencyCouncil(msg.sender)) {
        revert AssetPluginRegistry__InvalidCaller();
    }

    require(_asset != address(0), "Invalid asset address");
    isDeprecated[_asset] = true;
}

Explanation:

The updated implementation includes a require statement to check that _asset is not address(0), preventing any unintended state changes for this specific address.
This validation ensures that the contract operates correctly and avoids potential misuse or erroneous behavior associated with the address(0) value.

Assessed type

Invalid Validation

code-423n4 / 2024-07-reserve-validation

Invalid Input Validation for Address(0) in `deprecateAsset` Function #6