Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing Zero Address Check for Owner in Constructor

rhaosec

Summary

The constructor of the contract does not validate the _owner address to prevent it from being set as the zero address (address(0)). This oversight can lead to an unintended scenario where the contract lacks an effective owner, rendering key functions inaccessible or vulnerable.

Vulnerability Details

The current constructor implementation includes zero address checks for _aaveV3Pool and _diva, but it relies solely on the inherited Ownable contract for _owner validation. However, if the inheritance behavior or external input validation fails, there is a risk of _owner being set to a zero address.

//For AaveDIVAWrapperCore.sol https://github.com/Cyfrin/2025-01-diva/blob/main/contracts/src/AaveDIVAWrapperCore.sol#L52-L57
constructor(address diva_, address aaveV3Pool_, address owner_) Ownable(owner_) {
// Validate that none of the input addresses is zero to prevent unintended initialization with default addresses.
// Zero address check on `owner_` is performed in the OpenZeppelin's `Ownable` contract.
if (diva_ == address(0) || aaveV3Pool_ == address(0)) {
revert ZeroAddress();
}
//For AaveDIVAWrapper.sol https://github.com/Cyfrin/2025-01-diva/blob/main/contracts/src/AaveDIVAWrapper.sol#L12
constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner) {}

Impact

  • Potential inability to manage or upgrade the contract due to the lack of a valid owner.

  • Increased risk of misconfiguration and operational issues.

Tools Used

Manual

Recommendations

Add an explicit zero address check for _owner in the constructor to ensure validation.

Updates

Lead Judging Commences

bube Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!