The constructor of the WrappedAvail contract does not validate the input for the bridge address. Accepting a zero address could lead to a non-functional contract.
Vulnerability Detail
The contract is initialized without checking if the provided _bridge address is the zero address. This lack of validation might lead to issues in minting and burning functionalities, as these operations rely on the bridge address being a legitimate contract address.
Impact
If the bridge address is set to zero, it would permanently disable the mint and burn functionalities, as the onlyAvailBridge modifier would always fail, potentially rendering the contract useless.
Implement a validation check in the constructor to ensure that the _bridge address is not the zero address. This can be achieved by adding a requirement statement:
require(_bridge != address(0), "Bridge address cannot be the zero address");
Anubis
medium
Lack of Zero Address Validation in Constructor
Summary
The constructor of the WrappedAvail contract does not validate the input for the bridge address. Accepting a zero address could lead to a non-functional contract.
Vulnerability Detail
The contract is initialized without checking if the provided _bridge address is the zero address. This lack of validation might lead to issues in minting and burning functionalities, as these operations rely on the bridge address being a legitimate contract address.
Impact
If the bridge address is set to zero, it would permanently disable the mint and burn functionalities, as the onlyAvailBridge modifier would always fail, potentially rendering the contract useless.
Code Snippet
https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/WrappedAvail.sol#L18-L21
Tool used
Manual Review
Recommendation
Implement a validation check in the constructor to ensure that the _bridge address is not the zero address. This can be achieved by adding a requirement statement: