Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Admin Initialization

hackz

Summary

The admin address in the Adminable contract is not initialized in the constructor, leading to potential functionality loss.

Finding Description

The Adminable contract requires an admin address to enforce access control through the onlyAdmin modifier. However, the admin variable is left uninitialized upon contract deployment, defaulting to zero (0x0). This oversight effectively renders all admin-only functions inoperable since msg.sender will never equal the uninitialized admin address, preventing legitimate calls from succeeding.

This vulnerability breaks the security guarantee of proper access control by allowing a scenario where no entity can perform administrative tasks, thus locking the contract's functionalities that require admin rights. A malicious actor could exploit this by deploying the contract without a valid admin, making the contract permanently unusable for admin functions.

Vulnerability Details

Severity: High
Vulnerability Type: Access Control
Affected Functionality: All functions guarded by the onlyAdmin modifier.

The problem originates from the lack of a constructor or a mechanism to set the admin address during deployment. Without a valid admin address, the contract remains in a locked state.

Impact

The inability to set an admin address upon contract deployment significantly affects the contract's functionality and its operational integrity. It could prevent essential administrative actions, such as upgrading the contract or adjusting critical parameters, thereby leading to a denial of service for legitimate users.

Proof of Concept

Here’s a snippet of the existing code that showcases the lack of initialization:

abstract contract Adminable is IAdminable {

address public override admin; // Default is 0x0

// No constructor to initialize the admin address

}

Upon deploying this contract, the admin will be 0x0, leading to failure in all onlyAdmin checks:

function transferAdmin(address newAdmin) public virtual override onlyAdmin {

// This will fail if admin is not set

}

Recommendations

To resolve this issue, implement a constructor in the Adminable contract to initialize the admin address properly. Here’s an example of the fixed code:

abstract contract Adminable is IAdminable {

address public override admin;

constructor(address _admin) {

require(_admin != address(0), "Admin cannot be the zero address");

admin = _admin;

}

This change ensures that the admin variable is set to a valid address at the time of contract deployment, preventing potential access control issues and allowing for the intended functionality of the contract.

File Location

Adminable.sol

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.