search

sherlock-audit / 2023-12-avail-judging

4 stars 4 forks source link

namx05 - Missing Zero-Address Check in Constructor #48

Closed sherlock-admin2 closed 8 months ago

sherlock-admin2 commented 8 months ago

namx05

medium

Missing Zero-Address Check in Constructor

Summary

The constructor of the WrappedAvail smart contract currently lacks a crucial zero-address check for the bridge parameter. This omission introduces a potential vulnerability that could impede the intended functionalities of minting and burning ERC20 tokens (WAVAIL).

Vulnerability Detail

The absence of a zero-address check in the constructor allows for the deployment of the contract with an invalid or zero address as the bridge. This oversight poses a risk of undesired consequences, potentially disrupting the minting and burning operations and compromising the integrity of the ERC20 token contract.

Impact

If the bridge parameter is set to a zero address during contract deployment, it may result in unexpected behavior and security vulnerabilities. The contract won't be able to mint or burn the tokens.

Code Snippet

https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/WrappedAvail.sol#L18-L21

Tool used

Manual Review

Recommendation

Add a require statement to verify that the supplied address is not the zero address

constructor(address _bridge) ERC20Permit("Wrapped Avail") ERC20("WAVAIL", "Wrapped Avail") {
+    require(_bridge != address(0), "Bridge address cannot be zero");
    bridge = _bridge;
}
sherlock-admin commented 8 months ago

2 comment(s) were left on this issue during the judging contest.

tsvetanovv commented:

Information issue

takarez commented:

invalid because { invalid : out-of scope}