search

sherlock-audit / 2023-12-avail-judging

4 stars 4 forks source link

Anubis - Lack of Validation for newFeeRecipient in initialize Function #55

Closed sherlock-admin closed 8 months ago

sherlock-admin commented 8 months ago

Anubis

medium

Lack of Validation for newFeeRecipient in initialize Function

Summary

The initialize function does not validate whether the newFeeRecipient address is a zero address. Accepting a zero address could lead to funds being locked forever when calling withdrawFees.

Vulnerability Detail

The contract is initialized without checking if the provided newFeeRecipient address is the zero address. This lack of validation might lead to issues when withdrawFees is called, as sending funds to the zero address would lock them permanently.

Impact

Assigning the zero address as the fee recipient would permanently disable the withdrawal functionality for the fees, potentially leading to locked funds.

Code Snippet

https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L87-L89

https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L94-L97

Tool used

Manual Review

Recommendation

Implement a check in the initialize function to ensure that the newFeeRecipient address is not the zero address. This can be achieved by adding a requirement statement:

require(newFeeRecipient != address(0), "Fee recipient address cannot be the zero address");
sherlock-admin commented 8 months ago

2 comment(s) were left on this issue during the judging contest.

tsvetanovv commented:

Invalid. Admin mistake. See Sherlock documentation

takarez commented:

invalid because { invalid}