search

sherlock-audit / 2024-01-telcoin-judging

6 stars 5 forks source link

BAICE - Missing checks of 0x00 address when setting a number or an address #182

Closed sherlock-admin closed 8 months ago

sherlock-admin commented 8 months ago

BAICE

medium

Missing checks of 0x00 address when setting a number or an address

Summary

Missing checks of 0x00 address when setting a number or an address

Vulnerability Detail

Loss of zero address or zero value checks . In CouncilMember:initialize

function initialize(
        IERC20 telcoin,
        string memory name_,
        string memory symbol_,
        IPRBProxy stream_,
        address target_,
        uint256 id_
    ) external initializer {
        _grantRole(DEFAULT_ADMIN_ROLE, _msgSender());
        __ERC721_init(name_, symbol_);
        TELCOIN = telcoin;
        _stream = stream_;
        _target = target_;
        _id = id_;
    }

In RewardsDistributionRecipient:setRewardsDistribution

function setRewardsDistribution(
        address rewardsDistribution_
    ) external onlyOwner {
        rewardsDistribution = rewardsDistribution_;
        emit RewardsDistributionUpdated(rewardsDistribution);
    }

Impact

Wrong address may be set in the contract .

Code Snippet

https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L56-L69

  function initialize(
        IERC20 telcoin,
        string memory name_,
        string memory symbol_,
        IPRBProxy stream_,
        address target_,
        uint256 id_
    ) external initializer {
        _grantRole(DEFAULT_ADMIN_ROLE, _msgSender());
        __ERC721_init(name_, symbol_);
        TELCOIN = telcoin;
        _stream = stream_;
        _target = target_;
        _id = id_;
    }

https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/telx/abstract/RewardsDistributionRecipient.sol#L42-L47

function setRewardsDistribution(
        address rewardsDistribution_
    ) external onlyOwner {
        rewardsDistribution = rewardsDistribution_;
        emit RewardsDistributionUpdated(rewardsDistribution);
    }

Tool used

Manual Review, VsCode

Recommendation

Add zero address checks like TelcoinDistributor:constructor

 require(
          address(telcoin) != address(0) &&
              address(council) != address(0) &&
              period != 0,
          "TelcoinDistributor: cannot intialize to zero"
        );

Duplicate of #4

sherlock-admin2 commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

ivalid because { zero address check is invalid accroding sherlock}