Submission Details
Severity:
Missing Zero Address Validation in `CharityRegistry.sol`
Description: The contract lacks zero address validation in critical functions such as CharityRegistry::changeAdmin() and CharityRegistry::registerCharity() where addresses are used as parameters. This could lead to irrecoverable states if zero addresses are accidentally input.
function changeAdmin(address newAdmin) public
function registerCharity(address charity) public
Impact:
Admin role could be permanently lost if set to zero address
Charities could be registered with zero address
No way to recover from these states due to lack of validation
Proof of Concept:
function testZeroAddressVulnerability() public {
vm.prank(admin);
registry.changeAdmin(address(0));
// Contract now has zero address admin
assertEq(registry.admin(), address(0));
}
Recommended Mitigation: Add zero address validation checks such as given below:
modifier nonZeroAddress(address _address) {
require(_address != address(0), "Zero address not allowed");
_;
}
function changeAdmin(address newAdmin) public onlyAdmin nonZeroAddress(newAdmin) {
admin = newAdmin;
emit AdminChanged(newAdmin);
}
Rewards breakdown
nSLOC
67This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.