Medium Severity - Missing Zero Address Check for Chainlink Verifier
Summary
The update function in StabilityConfiguration.sol lacks validation for the Chainlink verifier address, allowing a zero-address configuration that would permanently disable price verification.
Vulnerability Details
The update function accepts any address for chainlinkVerifier without validation:
If set to address(0), all calls to verifyOffchainPrice will fail since the verifier proxy is invalid.
Proof of concept:
-
Admin accidentally calls
update(0x0, 3600) -
All
verifyOffchainPricecalls revert due to:
IVerifierProxy(0x0).verifyReport(...) -
Protocol becomes unusable until upgraded
Impact
Complete disruption of price verification system
Halting of all trading/liquidation functionality
Requires emergency protocol shutdown to resolve
High risk of protocol insolvency from unverified prices
Tools Used
Manual code review
Address validation pattern analysis
Recommendations
Add zero-address check:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.