First Flight #21: KittyFi
First Flight #21
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Zero Address Checks in Constructor Parameters

Auditor0x1

Summary

Contracts are missing address validation in their constructors. Every address should be validated and checked to ensure it is different from the zero address (0x0000000000000000000000000000000000000000).

Vulnerability Details

Every Contract have to ensure that all essential addresses used in the contract are valid and properly initialized. If any critical address is set to the zero address, it can lead to significant issues in contract functionality and security vulnerabilities. This report assesses the constructor parameters of the contract to identify potential risks associated with the use of zero addresses.

Contract Details

The contract under review includes several immutable addresses set through its constructor:

  • i_token - The address of the collateral token used in the vault.

  • i_pool - The address of the KittyPool.

  • i_priceFeed - The address of the price feed for the collateral token.

  • i_euroPriceFeed - The address of the price feed for euros.

  • meowntainer - The address of the maintainer responsible for Aave operations.

  • i_aavePool - The address of the Aave pool where the collateral is supplied.

constructor(address _token, address _pool, address _priceFeed, address _euroPriceFeed, address _meowntainer, address _aavePool) {
i_token = _token;
i_pool = _pool;
i_priceFeed = AggregatorV3Interface(_priceFeed);
i_euroPriceFeed = AggregatorV3Interface(_euroPriceFeed);
meowntainer = _meowntainer;
i_aavePool = IAavePool(_aavePool);}

If any of these addresses are set to the zero address (0x0000000000000000000000000000000000000000), the contract might not function as intended. Zero addresses are typically used to indicate the absence of a valid address.

Impact

Function Failures: Operations or interactions with external contracts might fail if they rely on valid addresses.

Security Risks: Zero addresses could potentially be exploited to bypass critical functionalities, leading to vulnerabilities.

Recommendations

constructor(address _token, address _pool, address _priceFeed, address _euroPriceFeed, address _meowntainer, address _aavePool) {
require(_token != address(0), "Token address cannot be zero");
require(_pool != address(0), "Pool address cannot be zero");
require(_priceFeed != address(0), "Price feed address cannot be zero");
require(_euroPriceFeed != address(0), "Euro price feed address cannot be zero");
require(_meowntainer != address(0), "Meowntainer address cannot be zero");
require(_aavePool != address(0), "Aave pool address cannot be zero");
i_token = _token;
i_pool = _pool;
i_priceFeed = AggregatorV3Interface(_priceFeed);
i_euroPriceFeed = AggregatorV3Interface(_euroPriceFeed);
meowntainer = _meowntainer;
i_aavePool = IAavePool(_aavePool);
}
Updates

Lead Judging Commences

shikhar229169 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

Auditor0x1 Submitter
about 1 year ago
shikhar229169 Lead Judge
about 1 year ago
shikhar229169 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.