The Standard

Summary

The constructor of the smart contract does not validate if the input addresses (_TST, _EUROs, _eurUsd, _tokenManager) are zero or dead. This oversight can lead to the smart contract malfunctioning, as there are no owner functions available to modify these state variables post-deployment.

Vulnerability Details

The constructor takes four address parameters and assigns them to state variables without any checks. In Solidity, it's crucial to ensure that address inputs are valid (i.e., not zero addresses) to prevent issues in contract execution. The absence of validation checks in the constructor could result in the assignment of invalid addresses, rendering the contract non-functional since these addresses are critical for the contract's operations.

Impact

Assigning invalid (zero or dead) addresses can severely affect the contract's functionality, leading to potential operational failures or locked funds. Since the contract lacks functions to alter these state variables post-deployment, any error in the addresses provided at the time of deployment is irreversible, posing a medium-level risk to the contract's integrity and functionality.

Tools Used

Manual review.

Recommendations

It's recommended to implement the following changes:

• Validation in Constructor: Add checks in the constructor to ensure that none of the input addresses are zero. This can be done using require statements to validate each address before assignment.

• Setters for State Variables: Introduce owner-only functions to set or update these state variables. This addition provides flexibility to rectify any incorrect addresses post-deployment, enhancing the contract's resilience to human error during deployment. Ensure that these setter functions are secure and accessible only to authorized personnel (e.g., contract owner).