Flow
Sablier
FoundryDeFi
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Zero Address Check

aliqbdoli

Summary

Failing to check for a possible 0 address input (especially in constructors, setters, and initializer functions) before such interactions can lead to unexpected dangerous behavior. A zero address check ensures that addresses are explicitly provided and not left uninitialized or set to a default, invalid state.

Vulnerability Details

in SablierFlow.sol and SablierFlowBase.sol there isn't check for address(0)

constructor(
address initialAdmin,
IFlowNFTDescriptor initialNFTDescriptor
)
ERC721("Sablier Flow NFT", "SAB-FLOW")
SablierFlowBase(initialAdmin, initialNFTDescriptor)
{ }

check Base.t.soland using address(0) for SablierFlow constructor

function setUp() public virtual {
// sablierFlow1 = new SablierFlow(users.admin, );
users.admin = payable(makeAddr("admin"));
if (!isBenchmarkProfile() && !isTestOptimizedProfile()) {
nftDescriptor = new FlowNFTDescriptor();
+ flow = new SablierFlow(address(0), nftDescriptor);
} else {
flow = deployOptimizedSablierFlow();
}
...

Impact

The ERC721 base constructor is called with the name "Sablier Flow NFT" and symbol "SAB-FLOW".

The SablierFlowBase base constructor is then called with address(0) as the initialAdmin.

Any other parameters passed to the SablierFlow constructor will be ignored due to the order of inheritance.

Having no admin means there's no way to pause the contract, recover funds, or perform other important administrative actions

Tools Used

Personal Knowledge,Foundry

Recommendations

Use require statements to validate addresses before any operation involving external addresses is performed, especially on constructors, setters or initializer functions.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.