Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Missing zero address Validation in Adminable::transferAdmin function can lead to a potential denial of service(DOS) attack

auditbyte

Summary

The Adminable::transferAdmin function lacks a validation check to prevent the admin address from being set to the zero address. This oversight can lead to a potential Denial of Service (DoS) attack, resulting in the loss of contract control

Vulnerability Details

The Adminable::transferAdmin function does not perform a check to ensure that the newAdmin address is not zero before assigning it to the admin variable. This vulnerability could allow an attacker to set the admin to the zero address, effectively locking them out of the contract.

// @audit DOS attack

function transferAdmin(address newAdmin) public virtual override onlyAdmin {

// Effect: update the admin.

admin = newAdmin;

// Log the transfer of the admin.

emit IAdminable.TransferAdmin({ oldAdmin: msg.sender, newAdmin: newAdmin });

}

Impact

An attacker could exploit this vulnerability by calling the transferAdmin function with the zero address as the new admin. This would result in the admin variable being set to the zero address, preventing any future calls to functions marked with the onlyAdmin modifier from succeeding. This could lead to a loss of control over the contract and potentially lock up funds or functionality.

Tools Used

Manual code review
Static analysis: Slither, aderyn, cloc

Recommendations

Add a check to ensure that the newAdmin address is not zero before assigning it to the admin variable. Here's an example of how to fix the code:

function transferAdmin(address newAdmin) public virtual override onlyAdmin {

+ require(newAdmin != address(0), "New admin cannot be zero");

admin = newAdmin;

emit IAdminable.TransferAdmin({ oldAdmin: msg.sender, newAdmin: newAdmin });

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!