Closed sherlock-admin2 closed 4 months ago
Invalid; I don't understand the issue. Modules are not represented by address(0); Also the extractModule
purposely checks if the module is address(0) and in this case reverts.
Invalid, modules are contracts that can never be address zero, so this is basically invalid based on the following sherlock rule
- Zero address checks: Check to make sure input values are not zero addresses
aycozynfada
high
Protocol might be inoperable because _extractModule checks for address zero instead of setModule
Summary
_executeModule function first of all calls the _extractModule to extract the Module address, the _extractModule function then checks for address zero before returning the module address and reverts if the module address is a zero address. This check however might be to late as it leads to a failure in the functionality of the protocol and makes the smart contract inoperable.
Vulnerability Detail.
Although sherlock states that zero address issues are not under scope, this I suppose can cause restrictions to user transactions because the _extractModule function contains address zero check instead of the _setModule function. With the way the functions are set, a zero address can be hard coded to a module, which will there after lead to issues when a user attempts a legitimate transaction. To have failed user transactions due to zero address, the check should have been implemented in the _setModule function
Impact
protocol become inoperable as expected returns are not processed
Code Snippet
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/usdo/modules/ModuleManager.sol#L38-L74
_executeModule function first of all calls the _extractModule to extract the Module address
the extract module however checks for zero address before returning the module