search

sherlock-audit / 2024-06-boost-aa-wallet-judging

3 stars 1 forks source link

Ironsidesec - Immutable `VALIDATOR` state is never set in the constructor #454

Open sherlock-admin2 opened 2 months ago

sherlock-admin2 commented 2 months ago

Ironsidesec

Medium

Immutable VALIDATOR state is never set in the constructor

Summary

Immutable variable should be set in the constructor. Or else their state will be 0 forever. And the state being read anywhere will read it as zero address leading to revert issues, Hence DOS.

Vulnerability Detail

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/78930f2ed6570f30e356b5529bd4bcbe5194eb8b/boost-protocol/packages/evm/contracts/actions/EventAction.sol#L26-L28

actions/AAction.sol

19:     /// @notice The validator for the action (which may be the action itself where appropriate)
20:     AValidator public immutable VALIDATOR;

EventAction.sol
26:     constructor() {
28:         _disableInitializers();
29:     }

Impact

immutable VALIDATOR state is never set in the constructor. So wherever it is read will use zero address as validator leading to DOS/wrong calls revert.

Code Snippet

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/78930f2ed6570f30e356b5529bd4bcbe5194eb8b/boost-protocol/packages/evm/contracts/actions/EventAction.sol#L26-L28

Tool used

Manual Review

Recommendation

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/78930f2ed6570f30e356b5529bd4bcbe5194eb8b/boost-protocol/packages/evm/contracts/actions/EventAction.sol#L26-L28

-   constructor() {
+   constructor(address VALIDATOR) {
        _disableInitializers();
+       VALIDATOR = _VALIDATOR;
    }