Submission Details
Severity:
[L-1] Missing zero-address validation in constructor
Summary
The constructor doesn't validate against zero addresses for token parameters.
Vulnerability Details
constructor (address _WBTC, address _WETH, address _USDC) {
host = msg.sender;
i_WBTC = IERC20(_WBTC);
whitelisted[_WBTC] = true;
i_WETH = IERC20(_WETH);
whitelisted[_WETH] = true;
i_USDC = IERC20(_USDC);
whitelisted[_USDC] = true;
}
Impact
Low: Contract could be deployed with invalid token addresses
Potential redeployment needed if misconfigured
Tools Used
Foundry for testing
function test_zeroAddressTokens() public {
vm.prank(host);
ChristmasDinner newDinner = new ChristmasDinner(
address(0),
address(0),
address(0)
);
// Contract deploys successfully with zero addresses
}
Recommendations
Add zero-address checks:
constructor (address _WBTC, address _WETH, address _USDC) {
require(_WBTC != address(0), "Zero address WBTC");
require(_WETH != address(0), "Zero address WETH");
require(_USDC != address(0), "Zero address USDC");
// ... rest of constructor
}
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.