Tadle

Summary

The PreMarket::updateStockStatus lacks a crucial zero address check for the _stock parameter. This oversight could potentially lead to unintended state changes or errors when interacting with non-existent stock entries.

Vulnerability Details

In the PreMarket::updateStockStatus function, there is no validation to ensure that the provided _stock address is not the zero address (0x0). The function directly accesses the stockInfoMap using the provided address without any preliminary checks

This means that if a zero address is passed (either accidentally or maliciously), the function will still execute, potentially updating a non-existent stock entry or causing unexpected behavior.

https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/PreMarkets.sol#L721-L729

Impact

The lack of a zero address check could lead to several issues:

1. Silent failures: Updating the status of a non-existent stock (zero address) would not throw an error but would not have any real effect, potentially leading to misconceptions about the system state.

2. Inconsistent state: If other parts of the system rely on the assumption that all stocks in stockInfoMap are valid, this could lead to inconsistencies.

3. Difficulty in debugging: Issues caused by accidentally passing a zero address might be hard to trace, as the function would execute without error.

4. Potential for misuse: Malicious actors could exploit this to emit misleading events with a zero address stock.

Tools Used

Manual Review

Recommendations

To address this vulnerability, implement a zero address check at the beginning of the function: