Submission Details
Severity:
Zero address checks missing in `Swan::initialize()` function
Summary
Add zero address checks in initialize() for address parameters.
Vulnerability Details
Add zero address checks (address(0)) for all contract addresses in the Swan::initialize() function, especially for critical dependencies like _coordinator, _token, _buyerAgentFactory, and _swanAssetFactory. This ensures that the contracts you rely on are valid and avoids potential issues with interacting with uninitialized addresses.
Impact
Adding these checks ensures the contract is set up correctly and avoids potential issues with invalid addresses.
Tools Used
Manual audit
Recommendations
function initialize(
SwanMarketParameters calldata _marketParameters,
LLMOracleTaskParameters calldata _oracleParameters,
address _coordinator,
address _token,
address _buyerAgentFactory,
address _swanAssetFactory
) public initializer {
+ require(_coordinator != address(0), "Invalid coordinator address");
+ require(_token != address(0), "Invalid token address");
+ require(_buyerAgentFactory != address(0), "Invalid buyer agent factory address");
+ require(_swanAssetFactory != address(0), "Invalid swan asset factory address");
__Ownable_init(msg.sender);
require(_marketParameters.platformFee <= 100, "Platform fee cannot exceed 100%");
// market & oracle parameters
marketParameters.push(_marketParameters);
oracleParameters = _oracleParameters;
// contracts
coordinator = LLMOracleCoordinator(_coordinator);
token = ERC20(_token);
buyerAgentFactory = BuyerAgentFactory(_buyerAgentFactory);
swanAssetFactory = SwanAssetFactory(_swanAssetFactory);
// swan is an operator
isOperator[address(this)] = true;
// owner is an operator
isOperator[msg.sender] = true;
}
Prize pool breakdown
Total prize
21,000 USDC
nSLOC
1,03420 USDC / LOC
20,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.