Submission Details
Severity:
Missing zero address validation in MembershipERC1155::initialize function
Summary
The initialize function in the MembershipERC1155contract is supposed to initialize the contract ,however it does no check for zero addresses during the function call
Vulnerability Details
function initialize(
string memory name_,
string memory symbol_,
string memory uri_,
address creator_,
address currency_
) external initializer {
// lacks zero address check
_name = name_;
_symbol = symbol_;
creator = creator_;
currency = currency_;
_setURI(uri_);
_grantRole(DEFAULT_ADMIN_ROLE, msg.sender);
_grantRole(DAO_CREATOR, creator_);
_grantRole(OWP_FACTORY_ROLE, msg.sender);
}
Impact
The contract could initialize with zero address and would have to Re-deploy the whole contract in order to Re-Initialize the function.
Tools Used
manual review
Recommendations
check for zero address in the function and revert if it is a zero address.
function initialize(
string memory name_,
string memory symbol_,
string memory uri_,
address creator_,
address currency_
) external initializer {
+ if (creator_ == address(0)) revert CannotBeZeroAddress();
+ if (currency_ == address(0)) revert CannotBeZeroAddress();
_name = name_;
_symbol = symbol_;
creator = creator_;
currency = currency_;
_setURI(uri_);
_grantRole(DEFAULT_ADMIN_ROLE, msg.sender);
_grantRole(DAO_CREATOR, creator_);
_grantRole(OWP_FACTORY_ROLE, msg.sender);
}
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
54128
USDC / LOC
14,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.