Submission Details
Severity:
The function setNFTDescriptor doesn't check for address zero when setting the NftDescriptor
Summary
setNFTDescriptor collects an address and emits it. It doesn't check if the address is zero and just set it as newNFTDescriptor.
Vulnerability Details
Without checking for address zero, we might lose data when we try to replace the newNFTDescriptor
Impact
Little impact to the code integrity.
function test_RevertWhen_CallerNotAdmin() external {
// Make Eve the caller in this test.
resetPrank({ msgSender: users.eve });
// Run the test.
vm.expectRevert(abi.encodeWithSelector(Errors.CallerNotAdmin.selector, users.admin, user.exe));
lockup.setNFTDescriptor(ISablierV2NFTDescriptor(address(0)));
}
Tools Used
manual
Recommendations
Check for address zero
function setNFTDescriptor(ISablierV2NFTDescriptor newNFTDescriptor) external onlyAdmin {
// Check that the new NFT descriptor is not the zero address
+ require(address(newNFTDescriptor) != address(0), "New NFT descriptor is the zero address");
// Effect: set the NFT descriptor.
ISablierV2NFTDescriptor oldNftDescriptor = nftDescriptor;
nftDescriptor = newNFTDescriptor;
// Log the change of the NFT descriptor.
emit SetNFTDescriptor(msg.sender, oldNftDescriptor, newNFTDescriptor);
// Refresh the NFT metadata for all streams.
emit BatchMetadataUpdate(1, nextStreamId - 1);
}
Updates
Lead Judging Commences
inallhonesty about 1 year ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
Info/Gas/Invalid as per Docs
https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
Prize pool breakdown
Total prize
53,440 USDC
nSLOC
2,65520 USDC / LOC
45,000 USDC
3,100 USDC
5,340 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.