Submission Details
Severity:
Missing Zero Address Validation in setNFTDescriptor
Summary
The setNFTDescriptor function does not validate that the new NFT descriptor address is not the zero address.
Vulnerability Details
function setNFTDescriptor(IFlowNFTDescriptor newNFTDescriptor) external override onlyAdmin {
IFlowNFTDescriptor oldNftDescriptor = nftDescriptor;
nftDescriptor = newNFTDescriptor;
emit ISablierFlowBase.SetNFTDescriptor({
admin: msg.sender,
oldNFTDescriptor: oldNftDescriptor,
newNFTDescriptor: newNFTDescriptor
});
emit BatchMetadataUpdate({ _fromTokenId: 1, _toTokenId: nextStreamId - 1 });
}
The functions assigns the provided addresses directly to state variables without verifying that they are not the zero address (0x0).
Impact
Could temporarily break NFT metadata functionality
Would affect all existing NFTs' metadata retrieval until fixed
This can be fixed by calling the function again with a valid address
Tools Used
Manual code review
Recommendations
Add zero address validation check:
function setNFTDescriptor(IFlowNFTDescriptor newNFTDescriptor) external override onlyAdmin {
if (address(newNFTDescriptor) == address(0)) {
revert Errors.SablierFlow_ZeroAddress("newNFTDescriptor");
}
}
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
69929 USDC / LOC
19,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.