Flow
Sablier
FoundryDeFi
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Zero Address Validation in Constructor

udo

Summary

The constructor of the SablierFlowBase contract lacks zero address validation for both initialAdmin and initialNFTDescriptor parameters.

Vulnerability Details

constructor(address initialAdmin, IFlowNFTDescriptor initialNFTDescriptor) {
nextStreamId = 1;
admin = initialAdmin;
nftDescriptor = initialNFTDescriptor;
emit TransferAdmin({ oldAdmin: address(0), newAdmin: initialAdmin });
}

The constructor assigns the provided addresses directly to state variables without verifying that they are not the zero address (0x0)

Impact

If deployed with zero address parameters, core contract functionality would be permanently broken

  • Admin functions would be inaccessible if initialAdmin is set to zero address

  • NFT metadata functionality would be non-functional if initialNFTDescriptor is set to zero address

  • This situation would require contract redeployment to fix

Tools Used

Manual code review

Recommendations

Add zero address validation checks in the constructor:

constructor(address initialAdmin, IFlowNFTDescriptor initialNFTDescriptor) {
if (initialAdmin == address(0)) {
revert Errors.SablierFlow_ZeroAddress("initialAdmin");
}
if (address(initialNFTDescriptor) == address(0)) {
revert Errors.SablierFlow_ZeroAddress("initialNFTDescriptor");
}
nextStreamId = 1;
admin = initialAdmin;
nftDescriptor = initialNFTDescriptor;
emit TransferAdmin({ oldAdmin: address(0), newAdmin: initialAdmin });
}

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.