DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of Zero-Address Validation in Asset.sol Constructor

mmm

Summary

The smart contract Asset.sol has a potential security vulnerability in its constructor function. The constructor does not validate if the diamondAddr parameter is a zero address, which could lead to unintended behavior and potential security risks.

Vulnerability Details

11 constructor(address diamondAddr, string memory name, string memory symbol)
ERC20(name, symbol)
{
diamond = diamondAddr;
}

The constructor of the Asset contract takes diamondAddr as a parameter and assigns it to the diamond state variable. However, there is no check to ensure that diamondAddr is not a zero address.

Impact

The impact of this issue could be significant. If the diamond address is mistakenly set to the zero address, it would mean that no address could call the functions protected by the onlyDiamond modifier. This could effectively lock the contract, preventing the minting and burning of tokens.

Tools Used
The vulnerability was identified using manual code review techniques.

Recommendations

It is recommended to add a check in the constructor to ensure that diamondAddr is not a zero address. This can be done using the require function to validate the input.

Here is the recommended fix:

constructor(address diamondAddr, string memory name, string memory symbol)
ERC20(name, symbol)
{
require(diamondAddr != address(0), "Diamond address cannot be 0");
diamond = diamondAddr;
}

This code will revert the transaction if diamondAddr is the zero address, preventing the diamond

Updates

Lead Judging Commences

0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Zero address checks

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.