Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Uninitialized currency and creator variables

hackz

Summary

The currency and creator variables are passed as parameters during contract initialization but are not validated for correct addresses (e.g., non-zero addresses), which can lead to unexpected behavior or malfunctions in the contract.

Finding Description

The issue lies in the contract's initialize function where the currency and creator addresses are set without any checks to ensure they are valid. If these parameters are passed as the zero address (address(0)), functions that rely on these addresses, such as transferring tokens to/from the contract, would fail or misbehave.

This breaks the assumption that these addresses will always be valid, which is crucial for the contract’s proper operation (especially for token transfers and profit management).

Security Guarantees Broken:

  1. Correctness: If the currency or creator addresses are set incorrectly (e.g., zero address), the contract’s core functionalities like profit distribution and transfers could fail or behave unexpectedly.

  2. Reliability: The contract may fail silently or cause significant errors that cannot be easily detected without additional checks.

How it Breaks:

If either currency or creator is set to address(0) during initialization, any function that relies on these addresses, like sendProfit() or claimProfit(), will fail when attempting to transfer tokens. These failures can be hard to detect if not checked beforehand, leading to a loss of funds or incomplete contract operations.

Vulnerability Details

  • File Location: MembershipERC1155.sol

  • Issue Location: In the initialize function, currency and creator are assigned from parameters but are not validated.

  • Severity: Medium

  • Likelihood of Exploitation: Low, as the issue depends on incorrect initialization, but it can cause severe problems if encountered.

Impact

  • High: If either the currency or creator is set to the zero address, profit distribution, and transfer functionality will break, potentially rendering the contract unusable or leading to a loss of funds.

  • Low to Medium: This is a configuration issue that is unlikely to be encountered under normal circumstances, but it can severely impact contract functionality if not addressed during deployment.

Proof of Concept

Example of malfunction:

If a malicious actor or a developer forgets to properly initialize the currency or creator addresses:

contract.initialize("Membership", "M", "uri", address(0), address(0));

Then, calling claimProfit() or sendProfit() will fail silently or produce unexpected results because the contract cannot properly transfer tokens to/from invalid addresses.

Recommendations

To fix this issue, add validation checks for the currency and creator parameters in the initialize function to ensure they are valid addresses. Here’s a potential solution:

function initialize(
string memory name_,
string memory symbol_,
string memory uri_,
address creator_,
address currency_
) external initializer {
require(creator_ != address(0), "Invalid creator address");
require(currency_ != address(0), "Invalid currency address");
_name = name_;
_symbol = symbol_;
creator = creator_;
currency = currency_;
_setURI(uri_);
_grantRole(DEFAULT_ADMIN_ROLE, msg.sender);
_grantRole(DAO_CREATOR, creator_);
_grantRole(OWP_FACTORY_ROLE, msg.sender);
}

This ensures that the contract cannot be initialized with invalid addresses, preventing issues with token transfers and other functions that depend on these addresses.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.