Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing zero address check in `MembershipERC1155::initialize` function

wizard

Summary

The initialize function lacks validation for critical address parameters, potentially allowing zero addresses to be set for creator and currency variables.

Vulnerability Details

In the initialize function, the contract accepts address parameters without validating

function initialize(
string memory name_,
string memory symbol_,
string memory uri_,
address creator_,
address currency_
) external initializer {
creator = creator_;
currency = currency_;
}

since MembershipERC1155 is an upgradeable contract using the initializer pattern, this function can only be called once, making any misconfiguration permanent.

Impact

  1. Permanent loss of contract functionality if currency_ is set to zero address

  2. Potential loss of funds if creator_ is set to zero address when no tokens are minted

Tools Used

Manual Review

Recommendations

checking both parameters against zero address

function initialize(
string memory name_,
string memory symbol_,
string memory uri_,
address creator_,
address currency_
) external initializer {
require(creator_ != address(0), "Zero address not allowed for creator");
require(currency_ != address(0), "Zero address not allowed for currency");
Updates

Lead Judging Commences

0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

wizard Submitter
7 months ago
0xbrivan2 Lead Judge
6 months ago
0xbrivan2 Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.