No Zero-Address Check for _updateWeightRunner in UpdateRule Constructor
Summary
Within the UpdateRule base contract’s constructor:
there is no validation to ensure _updateWeightRunner is not the zero address. A zero address would invalidate any calls expecting updateWeightRunner to be a legitimate contract or account.
Vulnerability Details
Impact
Risk of Disabled Functionality: If _updateWeightRunner is set to address(0), any logic relying on it (e.g., weight updates) may be rendered inoperative.
Limited Attack Surface: Since this typically requires privileged (deployment-level) control, it’s not a direct security hole for non-privileged users, but it is still a best practice concern.
Tools Used
Manual audit
Recommendations
Add a Zero-Address Check
require(_updateWeightRunner != address(0), "Invalid updateWeightRunner");Document Valid Assumptions.
Explain that a valid, non-zero _updateWeightRunner is essential to ensure all weight update methods remain callable.
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.