While the setRouter()
function is restricted by the onlyMnagement
modifier, missing validation for _router
is still a concern because access control alone does not guarantee safe input or prevent mistakes.
Missing Router Address Validation
Human Error by Authorized Management
Even trusted management accounts can make mistake such as:
Setting _router
to address(0)
(the zero address), which would render the contract non-functional.
Inputting an incorrect bor malicious address unintentionally.
Defense-in-Depth
Validation acts an additional safeguard, ensuring the _router
address is explicitly verified before making critical state change.
This is particularly important for contracts with dealing with financial transactions or interacting with external systems.
Manual review
Add a simple validation check
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.