Submission Details
Severity:
`admin` zero address check missing
Summary
Missing zero address check in SablierFlowBase::constructor() and Admirable::transferAdmin().
Vulnerability Details
Missing zero address check when setting or transferring the admin address. This can lead to setting zero address to the admin.
Impact
If the admin address is set to address(0), it may disable key functionality in the contract. This is particularly serious if the admin manages important operations like fund transfers, contract upgrades, or parameter adjustments.
Tools Used
Manual review
Recommendations
Add zero address check:
constructor(address initialAdmin, IFlowNFTDescriptor initialNFTDescriptor) {
+ require(initialAdmin != address(0), "Invalid newAdmin address.");
nextStreamId = 1;
admin = initialAdmin;
nftDescriptor = initialNFTDescriptor;
emit TransferAdmin({ oldAdmin: address(0), newAdmin: initialAdmin });
}
function transferAdmin(address newAdmin) public virtual override onlyAdmin {
+ require(newAdmin != address(0), "Invalid newAdmin address.");
// Effect: update the admin.
admin = newAdmin;
// Log the transfer of the admin.
emit IAdminable.TransferAdmin({ oldAdmin: msg.sender, newAdmin: newAdmin });
}
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
69929 USDC / LOC
19,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.