The constructor of the WrappedAvail smart contract currently lacks a crucial zero-address check for the bridge parameter. This omission introduces a potential vulnerability that could impede the intended functionalities of minting and burning ERC20 tokens (WAVAIL).
Vulnerability Detail
The absence of a zero-address check in the constructor allows for the deployment of the contract with an invalid or zero address as the bridge. This oversight poses a risk of undesired consequences, potentially disrupting the minting and burning operations and compromising the integrity of the ERC20 token contract.
Impact
If the bridge parameter is set to a zero address during contract deployment, it may result in unexpected behavior and security vulnerabilities. The contract won't be able to mint or burn the tokens.
namx05
medium
Missing Zero-Address Check in Constructor
Summary
The constructor of the
WrappedAvail
smart contract currently lacks a crucial zero-address check for the bridge parameter. This omission introduces a potential vulnerability that could impede the intended functionalities of minting and burning ERC20 tokens (WAVAIL).Vulnerability Detail
The absence of a zero-address check in the constructor allows for the deployment of the contract with an invalid or zero address as the bridge. This oversight poses a risk of undesired consequences, potentially disrupting the minting and burning operations and compromising the integrity of the ERC20 token contract.
Impact
If the
bridge
parameter is set to a zero address during contract deployment, it may result in unexpected behavior and security vulnerabilities. The contract won't be able to mint or burn the tokens.Code Snippet
https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/WrappedAvail.sol#L18-L21
Tool used
Manual Review
Recommendation
Add a require statement to verify that the supplied address is not the zero address