Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Missing zero address check in `core/TokenManager::initialize` function

x0rc1ph3r

Summary

The TokenManager::initialize function allows the contract owner to set the wrappedNativeToken address. However, there is no validation to ensure that the provided address is valid and not the zero address. This oversight can lead to potential issues where the contract is unable to properly handle wrapped native tokens.

Vulnerability Details

The initialize function is defined as follows:

function initialize(address _wrappedNativeToken) external onlyOwner {

wrappedNativeToken = _wrappedNativeToken;

}

This function allows the owner to set the wrappedNativeToken variable to a specified address. However, there is no check to verify that _wrappedNativeToken is a valid address and not the zero address (address(0x0)).

Proof Of Concept

If the owner mistakenly passes the zero address to this function, the contract will set wrappedNativeToken to address(0x0), leading to several issues:

@> Loss of Functionality: Subsequent operations that rely on the `wrappedNativeToken` address (e.g., transfers, withdrawals) may fail or behave unpredictably, as the zero address is not a valid token contract.

@> Security Risks: The contract may attempt to send or interact with the zero address, leading to asset loss or unintended behaviors.

Impact

The absence of a zero address check in the initialize function could lead to:

@> Loss of Funds: If the contract interacts with the zero address due to this misconfiguration, it could result in the loss of Ether or tokens.

@> Broken Functionality: The contract's functionality related to the wrapped native token could be compromised, leading to failures in critical operations.

Tools Used

Manual Code Review

Recommended Mitigation

To prevent the issues associated with setting wrappedNativeToken to an invalid address, the following mitigation should be implemented:

Add a Zero Address Check

Before setting the wrappedNativeToken variable, add a check to ensure that _wrappedNativeToken is not the zero address. If the check fails, the function should revert with an appropriate error message.

function initialize(address _wrappedNativeToken) external onlyOwner {

+ require(_wrappedNativeToken != address(0x0), "Invalid address: zero address");

wrappedNativeToken = _wrappedNativeToken;

}

Updates

Lead Judging Commences

0xnevi Lead Judge

about 1 year ago

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.