Missing Zero-Address Validation for Contract Owner in Constructor
Security Analysis Report
File: WToken.sol
Occurrence: Line 16
Summary
The constructor of the WToken contract does not validate the owner_ parameter, allowing it to be set to the zero address (address(0)). This oversight can result in the contract becoming non-functional as no valid owner would be able to execute onlyOwner functions.
Vulnerability Details
The absence of a require statement to validate the owner_ parameter in the constructor allows the _owner to be set as the zero address. The zero address is a special address in Ethereum that no one controls, which leads to the inaccessibility of all functions restricted to the onlyOwner modifier.
Code Snippet:
Impact
If the _owner is set to the zero address:
Owner-Only Functions Inaccessible: Functions such as
mintandburnwill no longer be executable, resulting in a denial of service for these operations.Irrecoverable Contract State: The lack of a valid owner makes the contract irrecoverable without redeployment.
Operational and Financial Risks: If the contract is used in a larger system, its malfunction can disrupt dependent components, potentially leading to financial losses or governance deadlocks.
Severity: Medium to High (depends on how critical owner-only operations are for the system).
Tools Used
Manual code review
Static analysis of constructor parameters
Recommendations
To mitigate the issue, add a validation check in the constructor to ensure that the owner_ parameter is not the zero address. The updated constructor should look like this:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.