DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of Zero Address Checks in Constructors of Ditto.sol and Asset.sol Contracts

nisedo

Vulnerability Details

In both the Ditto.sol and Asset.sol, the constructors accept an address parameter diamondAddr to initialize the diamond state variable. However, there is no check to ensure that the provided addresses are not zero addresses.

For Ditto.sol:

constructor(address diamondAddr) ERC20("Ditto", "DITTO") ERC20Permit("Ditto") {
diamond = diamondAddr;
}

For Asset.sol:

constructor(address diamondAddr, string memory name, string memory symbol)
ERC20(name, symbol)
{
diamond = diamondAddr;
}

Same with VaultFacet.sol constructor:

constructor(address _zeth) {
carbonZeth = _zeth;
}

Failing to validate the address could lead to issues during contract deployment and subsequent operations.

Impact

Invalid Contract State: Deploying the contract with a zero address could lead to an invalid contract state that may disrupt the normal functioning of the protocol.

Recommendations

Add Zero Address Checks: Implement a require statement in both constructors to check that the diamondAddr is not a zero address.

{
+ require(diamondAddr != address(0), "Zero address not allowed");
diamond = diamondAddr;
}
Updates

Lead Judging Commences

0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Zero address checks

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.