Submission Details
Severity:
Missing validation for address zero can compromise protocol functionality
Vulnerability Details
The functions setDistribution, setRewardTokenConfig, and setDepositTokenConfig lack checks for zero addresses. This can lead to setting a critical contract address to the zero address, resulting in potential loss of funds or failed transactions.
Impact
Zero address vulnerabilities can render the contract unusable or lead to loss of assets.
Tools Used
Manual Review
Recommendations
function setDistribution(address distribution_) public onlyOwner {
+ require(distribution_ != address(0), "L1S: invalid distribution");
distribution = distribution_;
}
function setRewardTokenConfig(RewardTokenConfig calldata newConfig_) public onlyOwner {
+ require(newConfig_.receiver != address(0), "L1S: invalid receiver");
+ require(newConfig_.gateway != address(0), "L1S: invalid gateway");
rewardTokenConfig = newConfig_;
}
function setDepositTokenConfig(DepositTokenConfig calldata newConfig_) public onlyOwner {
require(newConfig_.receiver != address(0), "L1S: invalid receiver");
+ require(newConfig_.gateway != address(0), "L1S: invalid gateway");
DepositTokenConfig storage oldConfig = depositTokenConfig;
_replaceDepositToken(oldConfig.token, newConfig_.token);
_replaceDepositTokenGateway(oldConfig.gateway, newConfig_.gateway, oldConfig.token, newConfig_.token);
depositTokenConfig = newConfig_;
}
(Additional) Missing Event Emissions: Consider adding events for all the functions above as they cause impactful changes on the protocol.
Updates
Lead Judging Commences
inallhonesty
over 1 year ago
holydevoti0n
over 1 year ago
inallhonesty
over 1 year ago
Prize pool breakdown
Total prize
22,500 USDC
nSLOC
1,05421 USDC / LOC
20,000 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.