First Flight #2: Puppy Raffle

First Flight #2

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

missing Zero Address validation on feeAddress

rapstyle

Summary

The constructor does not check that the _feeAddress passed as argument is different from the Zero Address.
The same problem also exists in the changeFeeAddress function.

Vulnerability Details

In the constructor is it possible to set feeAddress as the Zero Address.

constructor(uint256 _entranceFee, address _feeAddress, uint256 _raffleDuration) ERC721("Puppy Raffle", "PR") {

entranceFee = _entranceFee;

@> feeAddress = _feeAddress;

raffleDuration = _raffleDuration;

raffleStartTime = block.timestamp;

rarityToUri[COMMON_RARITY] = commonImageUri;

rarityToUri[RARE_RARITY] = rareImageUri;

rarityToUri[LEGENDARY_RARITY] = legendaryImageUri;

rarityToName[COMMON_RARITY] = COMMON;

rarityToName[RARE_RARITY] = RARE;

rarityToName[LEGENDARY_RARITY] = LEGENDARY;

}

The same can be done in the function changeFeeAddress.

function changeFeeAddress(address newFeeAddress) external onlyOwner {

feeAddress = newFeeAddress;

emit FeeAddressChanged(newFeeAddress);

}

In both cases you can fix the problem by adding a simple control.

constructor(uint256 _entranceFee, address _feeAddress, uint256 _raffleDuration) ERC721("Puppy Raffle", "PR") {

entranceFee = _entranceFee;

+ require(_feeAddress != address(0), "No Zero Address");

feeAddress = _feeAddress;

raffleDuration = _raffleDuration;

...

function changeFeeAddress(address newFeeAddress) external onlyOwner {

+ require(newFeeAddress != address(0), "No Zero Address");

feeAddress = newFeeAddress;

emit FeeAddressChanged(newFeeAddress);

}

Impact

Setting the feeAddress to address(0) will result in a loss of funds when calling the withdrawFees function.
The impact is low because if you insert the zero address you can change it.

Tools Used

Manual review.

Recommendations

Add a check to verify that the address passed as an argument is different from address(0).

Updates

Lead Judging Commences

Hamiltonite Lead Judge about 2 years ago

Submission Judgement Published

Invalidated

Reason: Zero address checks

Rewards breakdown

nSLOC

143

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!