sherlock-admin
commented
8 months ago 2 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
Information issue
takarez commented:
invalid because {invalid: out-of scope}
Closed sherlock-admin closed 8 months ago
sherlock-admin
commented
8 months ago 2 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
Information issue
takarez commented:
invalid because {invalid: out-of scope}
Anubis
high
Missing Zero Address Validation for Token Addresses
Summary
The smart contract does not consistently validate that token addresses are not the zero address, notably in the updateTokens function.
Vulnerability Detail
In the updateTokens function, there's no check to prevent the zero address from being set as a token address. This could lead to scenarios where tokens are sent to the zero address, effectively getting burned and causing irreversible financial loss.
Impact
Sending tokens to the zero address would result in a permanent loss of those tokens, which could be significant depending on the amount and the token's value.
Code Snippet
https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L132-L135
https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L141
Tool used
Manual Review
Recommendation
Implement a check to ensure that none of the tokenAddresses are the zero address. This can be done by adding a condition like require(tokenAddresses[i] != address(0), "Token address cannot be the zero address"); inside the loop.