Missing Validation for creator_ and currency_ Addresses in initialize Function
Summary
In the initialize function, the creator_ and currency_ addresses are passed in externally and set for the contract without any validation. This could lead to the acceptance of invalid addresses (e.g., the address 0x0 or addresses that are not contracts/tokens). Invalid addresses can cause errors during contract execution or result in the contract not functioning as expected, posing security risks and impacting users.
Vulnerability Details
The initialize function is called to set up basic parameters for the contract. However, it does not validate the input addresses creator_ and currency_, which can lead to:
0x0 Address (null address): If
creator_orcurrency_is 0x0, any functions that require these addresses may encounter errors during execution or lead to an invalid contract state.Non-contract address:
currency_is intended to store the address of a currency token. If this address is not a valid ERC20 token contract or any valid contract, the contract may not function correctly, causing errors in currency-related transactions.
The lack of validation for these addresses opens up potential errors or spoofing attacks if an attacker deliberately provides invalid addresses.
Impact
Functions that rely on creator_ or currency_ may encounter errors or behave unexpectedly when these addresses are invalid.
Tools Used
Manual
Recommendations
Ensure addresses are not 0x0: Add a
requirecondition to check for non-zero addresses.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.