search

sherlock-audit / 2024-02-rubicon-finance-judging

5 stars 3 forks source link

taner2344 - setGladiusReactor function has no zero address check. #66

Closed sherlock-admin closed 9 months ago

sherlock-admin commented 9 months ago

taner2344

high

setGladiusReactor function has no zero address check.

Summary

On RubiconFeeController , setGladiusReactor simply sets new GladiusReactor contract address for the protocol. which could lead to fund loses for protocol.

Vulnerability Detail

On RubiconFeeController , setGladiusReactor simply sets new GladiusReactor contract for the protocol. However ,as you can see there is no zero address check on this function even though it has made by trusted actors in auth modifier.

       function setGladiusReactor(address payable gr) external auth {
    gladiusReactor = GladiusReactor(gr);
    }

Trusted actors could pass zero address to setGladiusReactor function by mistake. This leads to locking the protocol itself and causes to fund loses for protocol

Impact

Trusted actors could pass zero address to setGladiusReactor function by mistake. This leads to locking the protocol itself and causes to fund loses for protocol

Code Snippet

https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/fee-controllers/RubiconFeeController.sol#L142-L144

Tool used

Manual Review

Recommendation

To mitigate this issue kindly consider to add following

       function setGladiusReactor(address payable gr) external auth {
        require(gr != address(0) , "zero address"); // add this line
        gladiusReactor = GladiusReactor(gr);
}
sherlock-admin commented 9 months ago

2 comment(s) were left on this issue during the judging contest.

tsvetanovv commented:

Low

0xAadi commented:

Invalid: Admin/Owner is Trusted