stake.link
stake.link
DeFiHardhatBridge
27,500 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of zero address check in `setRewardsInitiator` function

0xtheblackpanther

Summary

In the SDLPoolCCIPControllerPrimary contract, the setRewardsInitiator function currently lacks validation for the rewards initiator address, allowing the input to potentially be set as the zero address. This absence of validation introduces security risks and may result in a loss of control over the rewards system.

Vulnerability Details

The setRewardsInitiator function allows setting the rewards initiator address without checking if it is the zero address (address(0)). This lack of validation could pose security risks.

Impact

  • Unintended behavior: Allowing the zero address as the rewards initiator may result in unexpected behavior and consequences within the contract logic.

  • Loss of control: Allowing the zero address as the rewards initiator could potentially compromise the sole authority to update rewards, leading to unintended control by unauthorized entities.

Tools Used

Manually.

Recommendations

To address the identified issue and enhance the security of the contract, the following recommendations are provided:

Add Zero Address Check:

  • Implement a check in the setRewardsInitiator function to ensure that the provided rewards initiator address is not the zero address (address(0)).

function setRewardsInitiator(address _rewardsInitiator) external onlyOwner {
require(_rewardsInitiator != address(0), "Invalid rewards initiator address");
rewardsInitiator = _rewardsInitiator;
}

This modification ensures that only valid addresses are accepted as the rewards initiator.

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.