Missing input validation in a couple of contracts
Summary
A couple of contracts contain LOW vulnerabilities related to missing input validation for key parameters, which can lead to unexpected behaviors or exploitation.
Vulnerability Details
The constructor accepts parameters, including the initial admin address and the initial NFT descriptor. However, there is no validation to ensure that these addresses are not zero.
-
Adminable.sol transferAdmin Function:
The
transferAdminfunction allows the current admin to change the admin address. Similar to the constructor, there is no validation to ensure that the new admin address is not zero.
-
SablierFlow.sol _create function Input Validation:
While the function correctly checks if the
senderaddress is non-zero, it lacks validation for therecipientaddress.
-
SablierFlowBase.sol constructor input validation:
missing input validation for initialAdmin
Impact
A zero admin address can lead to unauthorized access or unmanageable contract states
Tools Used
Manual Review
Recommendations
Add input validation in:
1. Adminable.sol constructor for initialAdmin parameter.
2. SablierFlow.sol _create function for recipient parameter.
3. SablierFlowBase.sol constructor for initialAdmin parameter.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.