Submission Details
Severity:
Missing Zero-Address Validation
Description: The constructor doesn't validate if the token addresses are zero addresses. The actual vulnerability is found here:
constructor (address _WBTC, address _WETH, address _USDC) {
host = msg.sender;
i_WBTC = IERC20(_WBTC);
whitelisted[_WBTC] = true;
i_WETH = IERC20(_WETH);
whitelisted[_WETH] = true;
i_USDC = IERC20(_USDC);
whitelisted[_USDC] = true;
}
Impact: Deploying with zero addresses for tokens would break core contract functionality.
Recommended Mitigation: Add zero-address checks:
constructor (address _WBTC, address _WETH, address _USDC) {
require(_WBTC != address(0), "WBTC cannot be zero address");
require(_WETH != address(0), "WETH cannot be zero address");
require(_USDC != address(0), "USDC cannot be zero address");
host = msg.sender;
i_WBTC = IERC20(_WBTC);
whitelisted[_WBTC] = true;
i_WETH = IERC20(_WETH);
whitelisted[_WETH] = true;
i_USDC = IERC20(_USDC);
whitelisted[_USDC] = true;
}
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.