search

sherlock-audit / 2024-02-rubicon-finance-judging

5 stars 3 forks source link

DJINN - Missing address(0) checks for `_owner` in `RubiconFeeController.initialize()` and `BaseGladiusReactor.initialize()` #47

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 7 months ago

DJINN

medium

Missing address(0) checks for _owner in RubiconFeeController.initialize() and BaseGladiusReactor.initialize()

Summary

The initialize() functions set the owner of the contract without checking if the provided address is the zero address.

Vulnerability Detail

initialize() functions can set address(0) as the owner of the contract. Furthermore, the setOwner() method cannot be called afterward to change the owner of a deployed contract.

Impact

Setting the owner of the contract wrongly will cause the deployed contract to be unusable.

Code Snippet

Tool used

Manual Review

Recommendation

Add a zero address check before setting the owner such as: require(_owner != address(0), "Invalid address");

sherlock-admin commented 7 months ago

2 comment(s) were left on this issue during the judging contest.

tsvetanovv commented:

Information

0xAadi commented:

Invalid: Admin/Owner is Trusted