The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

No zero address check and one step ownership transfer

MaslarovK

Summary

There is no zero address check when sending token to another address and setting new owner.

Vulnerability Details

In the _afterTokenTransfer function

function _afterTokenTransfer(address _from, address _to, uint256 _tokenId, uint256) internal override {
smartVaultIndex.transferTokenId(_from, _to, _tokenId);
if (address(_from) != address(0)) ISmartVault(smartVaultIndex.getVaultAddress(_tokenId)).setOwner(_to);
emit VaultTransferred(_tokenId, _from, _to);
}

there is no zero address check.
The function itself calls setOwner function, which has no zero address check as well:

function setOwner(address _newOwner) external onlyVaultManager {
owner = _newOwner;
}

Impact

The impact would be an ownership of the tokens transferred to the zero address.

Tools Used

Manual Review

Recommendations

Implement the following check:

require(_to != address(0), "Transfer to address zero.")

Additionally, consider implementing a two step process where the owner or controller nominates an account and the nominated account needs to call an acceptOwnership() function for the transfer of admin to fully succeed. This ensures the nominated EOA account is a valid and active account.

Updates

Lead Judging Commences

hrishibhat Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

single-step-ownership

informational/invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!