First Flight #18: T-Swap

Summary

This report examines a vulnerability discovered in the PoolFactory smart contract during a Slither analysis. The vulnerability involves a missing zero-address validation check in the constructor function where the i_wethToken state variable is initialized.

Vulnerability Details

Missing Zero-Address Validation

• Location: PoolFactory.sol, lines 40-41

• Code: i_wethToken = wethToken; (line 41)

• Description: The constructor PoolFactory(address) assigns the wethToken directly to i_wethToken without validating if wethToken is a zero address (address(0)). This can lead to unexpected behavior or vulnerabilities if wethToken is improperly set or not initialized correctly.

• Reference: Slither Detector Documentation: Missing Zero-Address Validation

Impact

The absence of zero-address validation for wethToken in the constructor of PoolFactory could potentially allow the initialization of i_wethToken with an invalid address. This could lead to errors or unintended behavior when creating pools or interacting with the factory, impacting the reliability and security of the contract.

Recommendations

To mitigate the risk associated with missing zero-address validation, consider the following recommendations:

1. Implement Zero-Address Check: Modify the constructor to include a require statement that validates wethToken is not the zero address (address(0)).

2. Use Safe Assignments: Ensure all state variable assignments and initializations verify inputs to prevent unintended states or vulnerabilities.

By addressing this vulnerability and following these recommendations, the PoolFactory contract can be strengthened to enhance security and reliability.