Missing zero address check for tokenAddresses and priceFeedAddresses
Summary
There is no zero address check for the arrays: tokenAddresses and priceFeedAddresses.
Vulnerability Details
This is a medium-risk vulnerability because it is possible to lose funds if the token addresses are set to zero addresses. Therefore, there should always be checks to make sure that initialized addresses are never a zero address as the token addresses can be set only once in the constructor. Instance:
https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/main/src/DSCEngine.sol#L119
constructor(address[] memory tokenAddresses, address[] memory priceFeedAddresses, address dscAddress) {
// USD Price Feeds
if (tokenAddresses.length != priceFeedAddresses.length) {
revert DSCEngine__TokenAddressesAndPriceFeedAddressesMustBeSameLength();
}
// For example ETH / USD, BTC / USD, MKR / USD, etc
for (uint256 i = 0; i < tokenAddresses.length; i++) {
s_priceFeeds[tokenAddresses[i]] = priceFeedAddresses[i];
s_collateralTokens.push(tokenAddresses[i]);
}
i_dsc = DecentralizedStableCoin(dscAddress);
}
Here, we can see that there is no zero address check.
Impact
This can result in user funds being lost forever.
Tools Used
Manual review and VS Code
Recommendations
Add a zero address require() check in the constructor.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.