The deprecateAsset function in the AssetPluginRegistry contract does not validate if the _asset address is address(0).
This can lead to few issues:
Setting isDeprecated[address(0)] to true may cause unintended behavior since address(0) is often used as a sentinel value and marking it as deprecated might not be meaningful or appropriate.
If _asset is address(0), it might result in incorrect or unexpected state changes in the contract, potentially affecting other functionalities that depend on asset deprecation.
Proof of Concept
Call deprecateAsset function with _asset set to address(0).
The state change isDeprecated[address(0)] = true occurs without any validation, which could cause unintended consequences.
Tools Used
Manual Testing.
Recommended Mitigation Steps
Update the deprecateAsset function to include validation for the _asset parameter to ensure it is not address(0).
The updated implementation includes a require statement to check that _asset is not address(0), preventing any unintended state changes for this specific address.
This validation ensures that the contract operates correctly and avoids potential misuse or erroneous behavior associated with the address(0) value.
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/registry/AssetPluginRegistry.sol#L107
Vulnerability details
Impact
The
deprecateAsset
function in theAssetPluginRegistry
contract does not validate if the_asset
address isaddress(0)
.This can lead to few issues:
isDeprecated[address(0)]
totrue
may cause unintended behavior sinceaddress(0)
is often used as a sentinel value and marking it as deprecated might not be meaningful or appropriate._asset
isaddress(0)
, it might result in incorrect or unexpected state changes in the contract, potentially affecting other functionalities that depend on asset deprecation.Proof of Concept
deprecateAsset
function with_asset
set toaddress(0)
.isDeprecated[address(0)] = true
occurs without any validation, which could cause unintended consequences.Tools Used
Manual Testing.
Recommended Mitigation Steps
Update the
deprecateAsset
function to include validation for the_asset
parameter to ensure it is notaddress(0)
.Updated Function:
Explanation:
require
statement to check that_asset
is notaddress(0)
, preventing any unintended state changes for this specific address.address(0)
value.Assessed type
Invalid Validation