Flow
Sablier
FoundryDeFi
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Missing checks for `address(0)` when assigning values to address state variables.

nitinaimshigh

Summary : Without checking for address(0), initial admin is assigned to new admin.

/// @dev Emits {TransferAdmin} event.
/// @param initialAdmin The address of the initial contract admin.
/// @param initialNFTDescriptor The address of the initial NFT descriptor.
constructor(address initialAdmin, IFlowNFTDescriptor initialNFTDescriptor) {
nextStreamId = 1;
admin = initialAdmin;
nftDescriptor = initialNFTDescriptor;
//@Question Why oldAdmin: address(0)?
emit TransferAdmin({ oldAdmin: address(0), newAdmin: initialAdmin });
}

Vulnerability Details : The issue is that the admin state variable is being assigned a value without checking if the newAdmin address is address(0).

In Solidity, address(0) is a special address that represents the zero address. Assigning address(0) to a state variable can lead to unintended behavior, such as:

  • Reverting the contract's state to an invalid state

  • Allowing unauthorized access to the contract's functionality

  • Causing the contract to malfunction or crash

Impact : Impact : In Solidity, address(0) is a special address that represents the zero address. Assigning address(0) to a state variable can lead to unintended behavior, such as:

  • Reverting the contract's state to an invalid state

  • Allowing unauthorized access to the contract's functionality

  • Causing the contract to malfunction or crash

  • Proof of Code is given below:

    pragma solidity ^0.8.0;
    contract Adminable {
    address public admin;
    function transferAdmin(address newAdmin) public {
    admin = newAdmin;
    }
    }
    contract Attacker {
    Adminable public adminable;
    constructor(address _adminable) public {
    adminable = Adminable(_adminable);
    }
    function attack() public {
    adminable.transferAdmin(address(0));
    }
    }

In this example, the Adminable contract has a transferAdmin function that allows the admin to be changed. However, there is no check to ensure that the newAdmin address is not address(0).

The Attacker contract has an attack function that calls the transferAdmin function with address(0) as the newAdmin address. This allows the attacker to set the admin to address(0), which can lead to unintended behavior.

Here's a breakdown of the code:

  • admin = newAdmin;:

    • This line assigns the newAdmin address to the admin state variable.

    • However, there is no check to ensure that the newAdmin address is not address(0).

  • adminable.transferAdmin(address(0));:

    • This line calls the transferAdmin function with address(0) as the newAdmin address.

    • This allows the attacker to set the admin to address(0), which can lead to unintended behavior.

Tools Used : Slither, Aderyn, VS Code, Solidity Metrics

Recommendations : To fix this issue, it's recommended to add a check to ensure that the newAdmin address is not address(0) before assigning it to the admin state variable.

Here's an example of how the code can be modified to add the check:

function transferAdmin(address newAdmin) public virtual override onlyAdmin {
require(newAdmin != address(0), "New admin cannot be zero address");
admin = newAdmin;
// Log the transfer of the admin.
emit IAdminable.TransferAdmin({ oldAdmin: msg.sender, newAdmin: newAdmin });
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.