search

re-al-Foundation / rwa-contracts

Core dev environment for the RWA Governance contracts
0 stars 0 forks source link

[RWV-01S] Inexistent Sanitization of Input Addresses #11

Closed chasebrownn closed 7 months ago

chasebrownn commented 7 months ago

RWV-01S: Inexistent Sanitization of Input Addresses

Type Severity Location
Input Sanitization RWAVotingEscrow.sol:L182-L193

Description:

The linked function(s) accept address arguments yet do not properly sanitize them.

Impact:

The presence of zero-value addresses, especially in constructor implementations, can cause the contract to be permanently inoperable. These checks are advised as zero-value inputs are a common side-effect of off-chain software related bugs.

Example:

function initialize(address _lockedToken, address _vestingContract, address _endpoint, address _admin) external initializer {
    __ERC721_init("RWA Voting Escrow", "veRWA");
    __Ownable_init(_admin);
    __Votes_init();
    __UUPSUpgradeable_init();

    VotingEscrowStorage storage $ = _getVotingEscrowStorage();
    $.lockedToken = IERC20(_lockedToken);
    $.vestingContract = _vestingContract;
    $.endpointReceiver = _endpoint;
    $.maxEarlyUnlockFee = 50_00; // 50%
}

Recommendation:

We advise some basic sanitization to be put in place by ensuring that each address specified is non-zero.

chasebrownn commented 7 months ago

Resolved. NOTE: _endpoint is left unsanitized since that variable has a setter method on the contract. The endpoint (in experience) is usually deployed post-deployment of RWAVotingEscrow.sol anyhow.