TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Zero address checks for additional safety

0xwhitehat

Summary

Various negative problems may occur due to the lack of zero address check in the constructor() of the in-scope contracts and TempleGoldStaking.sol#stakeFor() functions.

Vulnerability Details

-The `constructor()` of the in-scope contracts

It's considered best practice to implement zero address checks to prevent accidents. Contracts would have to be redeployed if one of the critical addresses remains zero upon initialization.

https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/DaiGoldAuction.sol#L48-L58

constructor(

address _templeGold,

address _bidToken,

address _treasury,

address _rescuer,

address _executor

) TempleElevatedAccess(_rescuer, _executor) {

templeGold = ITempleGold(_templeGold);

bidToken = IERC20(_bidToken);

treasury = _treasury;

}

As you can see, it does not check whether the treasury address is a zero address. As a result, the DAI token is sent to address (0) in the DaiGoldAuction.sol#bid() function, resulting in a loss of funds.

-`TempleGoldStaking.sol#stakeFor()`

Here too, the 'for' address is not checked to see if it is a 0 address. So, the staking token is staked to address(0) , and then the staker cannot withdraw their funds.

function stakeFor(address _for, uint256 _amount) public whenNotPaused {

if (_amount == 0) revert CommonEventsAndErrors.ExpectedNonZero();

// pull tokens and apply stake

stakingToken.safeTransferFrom(msg.sender, address(this), _amount);

uint256 _lastIndex = _accountLastStakeIndex[_for];

_accountLastStakeIndex[_for] = ++_lastIndex;

_applyStake(_for, _amount, _lastIndex);

_moveDelegates(address(0), delegates[_for], _amount);

}

Impact

If the zero address check is failed, the core functions of the protocol may not be executed and funds may be transferred to address (0) and locked.

Tools Used

Manual Review

Recommendations

Consider to implement zero address checks to prevent accidents.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.