Missing Zero Address Check in `UsdTokenSwapConfig::nextId` Function
Summary
The UsdTokenSwapConfig::nextId function lacks a check to ensure that the user address is not the zero address. This could lead to potential issues in assigning a unique ID to a user if the zero address is passed.
Vulnerability Details
The function nextId increments the swapRequestIdCounter for a given user address. However, there is no validation to check if the user address is the zero address 0x0000000000000000000000000000000000000000. Using the zero address in Ethereum contracts is reserved for a variety of use cases, and assigning a user ID to this address could lead to inconsistent behavior or vulnerabilities in the contract.
Impact
If a contract allows the zero address to be passed in, it could lead to unexpected behavior, such as the unintentional creation of an ID for the zero address or causing further errors down the line. Additionally, the zero address may be treated inappropriately, leading to potential misuse.
Tools Used
Recommendations
Add a validation check at the beginning of the nextId function to ensure that the user address is not the zero address. If the address is invalid, it could either revert the transaction or handle it with an appropriate error message.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.