Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of input parameter checks in sablierFlowBase constructor

0xsalami

Summary

The contract SablierFlowBase lacks zero address checks in critical functions where addresses, particularly initialAdmin and initialNFTDescriptor, are assigned. This can result in unexpected behavior if a zero address is accidentally set, especially since these addresses are used for administrative and descriptor functions.

Vulnerability Details

The constructor in SablierFlowBase does not validate the initialAdmin and initialNFTDescriptor parameters, allowing the contract to set these critical addresses to the zero address. Without checks, if a zero address is assigned, the contract can suffer from loss of control over admin functions or inability to retrieve the NFT descriptor, potentially leading to loss of revenue or contract functionality.

Impact

Loss of Administrative Control: If initialAdmin is set to zero, the contract will lack a valid admin address, leading to an inability to manage or change admin-level permissions.

Code Snippet

https://github.com/Cyfrin/2024-10-sablier/blob/8a2eac7a916080f2022527408b004578b21c51d0/src/abstracts/SablierFlowBase.sol#L58

Tools Used

Manual review

Recommendations

Add checks to the constructor to ensure that neither initialAdmin nor initialNFTDescriptor can be the zero address..

constructor(address initialAdmin, IFlowNFTDescriptor initialNFTDescriptor) {

require(initialAdmin != address(0), "Admin address cannot be zero address");

require(address(initialNFTDescriptor) != address(0), "NFT descriptor address cannot be zero address");

nextStreamId = 1;

admin = initialAdmin;

nftDescriptor = initialNFTDescriptor;

emit TransferAdmin({ oldAdmin: address(0), newAdmin: initialAdmin });

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.