search

sherlock-audit / 2024-06-makerdao-endgame-judging

1 stars 1 forks source link

kevinkien - Owner possible to set `Owner` and `Authority` to the zero address. #24

Closed sherlock-admin4 closed 1 month ago

sherlock-admin4 commented 1 month ago

kevinkien

High

Owner possible to set Owner and Authority to the zero address.

Summary

The SplitterMom contract has two functions, setOwner and setAuthority, that allow changing the contract owner's address (owner) and the authority address (authority). However, neither function includes checks to prevent these addresses from being set to the zero address (0x0).

Vulnerability Detail

Impact

Setting owner or authority to the zero address can lead to the following consequences:

Code Snippet

https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/dss-flappers/src/SplitterMom.sol#L68-L76

    function setOwner(address _owner) external onlyOwner {
        owner = _owner;
        emit SetOwner(_owner);
    }

    function setAuthority(address _authority) external onlyOwner {
        authority = _authority;
        emit SetAuthority(_authority);
    }

Tool used

Manual Review

Recommendation

require checks should be added to both functions to ensure that the provided new addresses are not the zero address:

function setOwner(address _owner) external onlyOwner {
+    require(_owner != address(0), "SplitterMom/new-owner-cannot-be-zero");
    owner = _owner;
    emit SetOwner(_owner);
}

function setAuthority(address _authority) external onlyOwner {
+    require(_authority != address(0), "SplitterMom/new-authority-cannot-be-zero");
    authority = _authority;
    emit SetAuthority(_authority);
}
sunbreak1211 commented 1 month ago

This is not an issue.