Lack of Zero Address Check in `setForwarder` Function
Summary
setForwarder function allows the owner to update the forwarder address without validating the new address. This could potentially lead to the forwarder being set to the zero address (0x0), which in turn would render the onlyForwarder modifier ineffective.
Vulnerability Details
Look at this part of the code: https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/external/chainlink/keepers/BaseKeeper.sol#L39-L42
This function allows the owner to set the forwarder address to any value, including the zero address. If the forwarder is set to the zero address, it would break the functionality of the onlyForwarder modifier:
Albeit, with a zero address forwarder, no valid address would be able to pass the check in this modifier effectively disabling any functions that rely on it for access control.
Impact
Likelihood- low, as it requires an error by the contract owner.
Impact- High, as it could significantly disrupt the contract's intended functionality and could cause a DOS too.
All functions using the onlyForwarder modifier would become inaccessible, as no address would be able to pass the authorization check causing a DOS.
This may require a contract upgrade to fix.
Tools Used
Manual code review
Recommendations
Implement a zero address check in the setForwarder function:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.