sherlock-admin2
commented
9 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because { constructor == admin task -> invalid}
Closed sherlock-admin closed 9 months ago
sherlock-admin2
commented
9 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because { constructor == admin task -> invalid}
nevillehuang
commented
9 months ago Invalid, known issue and address zero check is not valid based on sherlock rules
- Zero address checks: Check to make sure input values are not zero addresses.
millietez
medium
No validation of the address parameter value in the contract constructor
Summary
No validation of the address parameter value in the contract constructor
Vulnerability Detail
In the
DepositStableCoinToDealecontract, the variable is assigned the value of the constructor input parameter. But this parameter is not checked beforehand, and also the implementation of the interface is not checked. If the value turns out to be zero, then it will be necessary to redeploy the contract, since there is no other functionality to set this variable.In line 23 https://github.com/JOJOexchange/smart-contract-EVM/blob/aca8529979caa9e99ea48948645e041925731ef4/src/DepositStableCoinToDealer.sol#L23 the
jojoDealervariable is set to the value of the_JOJODealerinput parameter, theusdcvariable is set to the value of the_usdcinput parameter, thewethvariable is set to the value of the_wethinput parameter.Impact
If the dealer is used to conduct operations or exchanges, setting the dealer's address to zero will make it impossible to interact with it.
Code Snippet
https://github.com/JOJOexchange/smart-contract-EVM/blob/aca8529979caa9e99ea48948645e041925731ef4/src/DepositStableCoinToDealer.sol#L23
Tool used
Manual Review
Recommendation
It is necessary to add a check of the input parameter to zero before initializing the variable and utilize ERC165 checks to verify the interface.