Lack Of Zero Address Validation in setETHUSDOracle function.
Summary
The setETHUSDOracle function in the UpdateWeightRunner contract allows an admin to update the address of the ETH/USD oracle. However, the function currently does not include a check to prevent the ethUsdOracle from being set to the zero address. This issue can lead to the contract failing to interact with an actual oracle, causing operational issues.
Affected Function:
The issue is located in the setETHUSDOracle function in the contract:
Vulnerability Details
Lack of Zero Address Protection: In the current implementation, the
setETHUSDOraclefunction does not properly protect against the possibility of setting the ETHUSDOracle address toaddress(0). This issue occurs because there is norequirestatement, which is meant to prevent this, does not enforce the check at the point of call or with adequate clarity.
Impact
The absence of a valid ETHUSDoracle will cause price data to be unavailable, potentially locking up contract operations or causing incorrect behavior in contract interactions.
Operational Failure: The inability to fetch ETH/USD data would break any features in the contract that rely on this data.
Tools Used
Manually source code review.
Recommendations
Here is fixed version of this function:
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.